[FFmpeg-cvslog] avcodec/iff: Cleanup on init failure
ffmpeg | branch: master | Michael Niedermayer | Sun
Jun 18 14:05:12 2017 +0200| [9a6503f496ae496dd6b1f54fd5752d48435361b0] |
committer: Michael Niedermayer
avcodec/iff: Cleanup on init failure
Fixes: memleak
Fixes: 2272/clusterfuzz-testcase-minimized-5059103858622464
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9a6503f496ae496dd6b1f54fd5752d48435361b0
---
libavcodec/iff.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/iff.c b/libavcodec/iff.c
index 075ada6ddd..33cf2e3a94 100644
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -1878,6 +1878,7 @@ AVCodec ff_iff_ilbm_decoder = {
.init = decode_init,
.close = decode_end,
.decode = decode_frame,
+.caps_internal = FF_CODEC_CAP_INIT_CLEANUP,
.capabilities = AV_CODEC_CAP_DR1,
};
#endif
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output
ffmpeg | branch: master | Michael Niedermayer | Sun Jun 18 14:37:19 2017 +0200| [27c20068054d8c6786833234f7b6db19f1e98362] | committer: Michael Niedermayer avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output Fixes: runtime error: signed integer overflow: 2147483543 + 128 cannot be represented in type 'int' Fixes: 2234/clusterfuzz-testcase-minimized-6266896041115648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=27c20068054d8c6786833234f7b6db19f1e98362 --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 7d3502b53c..8df73115d8 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -889,7 +889,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, uint8_t *samples = (uint8_t *)frame->extended_data[chan]; int32_t *decoded = s->decoded[chan]; for (i = 0; i < s->nb_samples; i++) -samples[i] = decoded[i] + 0x80; +samples[i] = decoded[i] + 0x80U; } break; case AV_SAMPLE_FMT_S16P: ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner and faster code
ffmpeg | branch: master | Michael Niedermayer | Sun
Jun 11 17:58:45 2017 +0200| [4132218b87cd6fb13abd162e3037ef4563286baa] |
committer: Michael Niedermayer
avcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner
and faster code
This reduces the worst case from O(n²) to O(n) time
Fixes Timeout
Fixes: 2127/clusterfuzz-testcase-minimized-6595787859427328
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4132218b87cd6fb13abd162e3037ef4563286baa
---
libavcodec/htmlsubtitles.c | 20 +++-
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c
index 16295daa0c..70311c66d5 100644
--- a/libavcodec/htmlsubtitles.c
+++ b/libavcodec/htmlsubtitles.c
@@ -56,6 +56,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const
char *in)
char *param, buffer[128], tmp[128];
int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0;
SrtStack stack[16];
+int closing_brace_missing = 0;
stack[0].tag[0] = 0;
strcpy(stack[0].param[PARAM_SIZE], "{\\fs}");
@@ -83,11 +84,20 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst,
const char *in)
and all microdvd like styles such as {Y:xxx} */
len = 0;
an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0;
-if ((an != 1 && (len = 0, sscanf(in, "{\\%*[^}]}%n", &len) >= 0 &&
len > 0)) ||
-(len = 0, sscanf(in, "{%*1[CcFfoPSsYy]:%*[^}]}%n", &len) >= 0
&& len > 0)) {
-in += len - 1;
-} else
-av_bprint_chars(dst, *in, 1);
+
+if (!closing_brace_missing) {
+if ( (an != 1 && in[1] == '\\')
+|| (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':'))
{
+char *bracep = strchr(in+2, '}');
+if (bracep) {
+in = bracep;
+break;
+} else
+closing_brace_missing = 1;
+}
+}
+
+av_bprint_chars(dst, *in, 1);
break;
case '<':
tag_close = in[1] == '/';
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/htmlsubtitles: Factor open brace handling into its own function
ffmpeg | branch: master | Michael Niedermayer | Tue
Jun 13 00:01:04 2017 +0200| [14b834c45a00d89f4f4713e6977b31c51fef1286] |
committer: Michael Niedermayer
avcodec/htmlsubtitles: Factor open brace handling into its own function
Suggested-by: wm4
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=14b834c45a00d89f4f4713e6977b31c51fef1286
---
libavcodec/htmlsubtitles.c | 44 ++--
1 file changed, 26 insertions(+), 18 deletions(-)
diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c
index 70311c66d5..be5c9316ca 100644
--- a/libavcodec/htmlsubtitles.c
+++ b/libavcodec/htmlsubtitles.c
@@ -51,6 +51,30 @@ static void rstrip_spaces_buf(AVBPrint *buf)
buf->str[--buf->len] = 0;
}
+/* skip all {\xxx} substrings except for {\an%d}
+ and all microdvd like styles such as {Y:xxx} */
+static void handle_open_brace(AVBPrint *dst, const char **inp, int *an, int
*closing_brace_missing)
+{
+int len = 0;
+const char *in = *inp;
+
+*an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0;
+
+if (!*closing_brace_missing) {
+if ( (*an != 1 && in[1] == '\\')
+|| (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':')) {
+char *bracep = strchr(in+2, '}');
+if (bracep) {
+*inp = bracep;
+return;
+} else
+*closing_brace_missing = 1;
+}
+}
+
+av_bprint_chars(dst, *in, 1);
+}
+
int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
{
char *param, buffer[128], tmp[128];
@@ -80,24 +104,8 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst,
const char *in)
if (!line_start)
av_bprint_chars(dst, *in, 1);
break;
-case '{':/* skip all {\xxx} substrings except for {\an%d}
-and all microdvd like styles such as {Y:xxx} */
-len = 0;
-an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0;
-
-if (!closing_brace_missing) {
-if ( (an != 1 && in[1] == '\\')
-|| (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':'))
{
-char *bracep = strchr(in+2, '}');
-if (bracep) {
-in = bracep;
-break;
-} else
-closing_brace_missing = 1;
-}
-}
-
-av_bprint_chars(dst, *in, 1);
+case '{':
+handle_open_brace(dst, &in, &an, &closing_brace_missing);
break;
case '<':
tag_close = in[1] == '/';
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Cleanly exit at the end of an Interplay MVE
ffmpeg | branch: master | Hein-Pieter van Braam | Sat Jun 17 21:43:36 2017 +0200| [099d35401c1a266724a723d71aa12e53addfe037] | committer: James Almer Cleanly exit at the end of an Interplay MVE Reviewed-by: Paul B Mahol Signed-off-by: Hein-Pieter van Braam Signed-off-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=099d35401c1a266724a723d71aa12e53addfe037 --- libavformat/ipmovie.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index a83909f148..29eeaf6b8b 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -650,6 +650,8 @@ static int ipmovie_read_packet(AVFormatContext *s, ret = AVERROR(EIO); else if (ret == CHUNK_NOMEM) ret = AVERROR(ENOMEM); +else if (ret == CHUNK_END || ret == CHUNK_SHUTDOWN) +ret = AVERROR_EOF; else if (ret == CHUNK_VIDEO) ret = 0; else if (ret == CHUNK_INIT_VIDEO || ret == CHUNK_INIT_AUDIO) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/rmenc: do not access AVIO write buffer directly
ffmpeg | branch: master | Marton Balint | Fri Jun 16 22:45:23
2017 +0200| [8a09325311575a18a1d2afefa3c2e9014f3396f9] | committer: Marton
Balint
avformat/rmenc: do not access AVIO write buffer directly
Reviewed-by: Michael Niedermayer
Signed-off-by: Marton Balint
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8a09325311575a18a1d2afefa3c2e9014f3396f9
---
libavformat/rmenc.c | 19 ---
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/libavformat/rmenc.c b/libavformat/rmenc.c
index f9821d1875..3bff4daf0a 100644
--- a/libavformat/rmenc.c
+++ b/libavformat/rmenc.c
@@ -72,14 +72,12 @@ static int rv10_write_header(AVFormatContext *ctx,
RMMuxContext *rm = ctx->priv_data;
AVIOContext *s = ctx->pb;
StreamInfo *stream;
-unsigned char *data_offset_ptr, *start_ptr;
const char *desc, *mimetype;
int nb_packets, packet_total_size, packet_max_size, size, packet_avg_size,
i;
-int bit_rate, v, duration, flags, data_pos;
+int bit_rate, v, duration, flags;
+int data_offset;
AVDictionaryEntry *tag;
-start_ptr = s->buf_ptr;
-
ffio_wfourcc(s, ".RMF");
avio_wb32(s,18); /* header size */
avio_wb16(s,0);
@@ -119,7 +117,7 @@ static int rv10_write_header(AVFormatContext *ctx,
avio_wb32(s, BUFFER_DURATION); /* preroll */
avio_wb32(s, index_pos); /* index offset */
/* computation of data the data offset */
-data_offset_ptr = s->buf_ptr;
+data_offset = avio_tell(s);
avio_wb32(s, 0); /* data offset : will be patched after */
avio_wb16(s, ctx->nb_streams);/* num streams */
flags = 1 | 2; /* save allowed & perfect play */
@@ -276,12 +274,11 @@ static int rv10_write_header(AVFormatContext *ctx,
}
/* patch data offset field */
-data_pos = s->buf_ptr - start_ptr;
-rm->data_pos = data_pos;
-data_offset_ptr[0] = data_pos >> 24;
-data_offset_ptr[1] = data_pos >> 16;
-data_offset_ptr[2] = data_pos >> 8;
-data_offset_ptr[3] = data_pos;
+rm->data_pos = avio_tell(s);
+if (avio_seek(s, data_offset, SEEK_SET) >= 0) {
+avio_wb32(s, rm->data_pos);
+avio_seek(s, rm->data_pos, SEEK_SET);
+}
/* data stream */
ffio_wfourcc(s, "DATA");
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_template: Fix fixed point scale in decode_cce()
ffmpeg | branch: release/3.1 | Michael Niedermayer | Wed May 17 15:51:46 2017 +0200| [d2f43c48f9cd9c4432ca7c14d543beca968cf58a] | committer: Michael Niedermayer avcodec/aacdec_template: Fix fixed point scale in decode_cce() Fixes: runtime error: shift exponent 1073741824 is too large for 32-bit type 'int' Fixes: 1654/clusterfuzz-testcase-minimized-5151903795118080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53a502206a9ea698926694d7252526fe00d1ea44) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d2f43c48f9cd9c4432ca7c14d543beca968cf58a --- libavcodec/aacdec_template.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 883ed527f7..a37032a025 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2155,7 +2155,11 @@ static int decode_cce(AACContext *ac, GetBitContext *gb, ChannelElement *che) coup->coupling_point += get_bits1(gb) || (coup->coupling_point >> 1); sign = get_bits(gb, 1); -scale = AAC_RENAME(cce_scale)[get_bits(gb, 2)]; +#if USE_FIXED +scale = get_bits(gb, 2); +#else +scale = cce_scale[get_bits(gb, 2)]; +#endif if ((ret = decode_ics(ac, sce, gb, 0, 0))) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mlpdec: Fix: runtime error: left shift of negative value -8
ffmpeg | branch: release/3.1 | Michael Niedermayer | Thu May 18 02:07:17 2017 +0200| [fceacfc1320fd0609fa60b3f238651240a351f16] | committer: Michael Niedermayer avcodec/mlpdec: Fix: runtime error: left shift of negative value -8 Fixes: 1658/clusterfuzz-testcase-minimized-4889937130291200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25c81e4b737bcc737b13c9a752cb301a28cb3906) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fceacfc1320fd0609fa60b3f238651240a351f16 --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index eaf1aa7c75..5426712007 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -759,7 +759,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo if (get_bits1(gbp)) coeff_val = get_sbits(gbp, frac_bits + 2); -s->matrix_coeff[mat][ch] = coeff_val << (14 - frac_bits); +s->matrix_coeff[mat][ch] = coeff_val * (1 << (14 - frac_bits)); } if (s->noise_type) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Wed May 17 16:45:46 2017 +0200| [f0a24f2f77d1364fb848557da19ac1dfe3ccf791] |
committer: Michael Niedermayer
avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255
cannot be represented in type 'int'
Fixes: 1656/clusterfuzz-testcase-minimized-5900404925661184
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 94d05ff15985d17aba070eaec82acd21c0da3d86)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f0a24f2f77d1364fb848557da19ac1dfe3ccf791
---
libavcodec/aacdec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index ee9b4eb45f..ffb0f22ec0 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -424,6 +424,8 @@ static int read_payload_length_info(struct LATMContext
*ctx, GetBitContext *gb)
if (ctx->frame_length_type == 0) {
int mux_slot_length = 0;
do {
+if (get_bits_left(gb) < 8)
+return AVERROR_INVALIDDATA;
tmp = get_bits(gb, 8);
mux_slot_length += tmp;
} while (tmp == 255);
@@ -453,7 +455,7 @@ static int read_audio_mux_element(struct LATMContext
*latmctx,
}
if (latmctx->audio_mux_version_A == 0) {
int mux_slot_length_bytes = read_payload_length_info(latmctx, gb);
-if (mux_slot_length_bytes * 8 > get_bits_left(gb)) {
+if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL >
get_bits_left(gb)) {
av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n");
return AVERROR_INVALIDDATA;
} else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Thu May 18 01:54:43 2017 +0200| [2e7cf081a061844d858b4432217cfc5e7bcd152b] |
committer: Michael Niedermayer
avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877
cannot be represented in type 'int'
Fixes: 1657/clusterfuzz-testcase-minimized-471079405056
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 58ac7fb9c395ab91cb321fa4c8c9e127ce8147c3)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2e7cf081a061844d858b4432217cfc5e7bcd152b
---
libavcodec/dfa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index 3ea12f0511..8067ac94e5 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -250,7 +250,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame,
int width, int height
segments = bytestream2_get_le16u(gb);
while ((segments & 0xC000) == 0xC000) {
unsigned skip_lines = -(int16_t)segments;
-unsigned delta = -((int16_t)segments * width);
+int64_t delta = -((int16_t)segments * (int64_t)width);
if (frame_end - frame <= delta || y + lines + skip_lines > height)
return AVERROR_INVALIDDATA;
frame+= delta;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mimic: Use ff_set_dimensions() to set the dimensions
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Thu May 18 17:46:56 2017 +0200| [08375d37be071518526fc9001f07ecb32336268a] |
committer: Michael Niedermayer
avcodec/mimic: Use ff_set_dimensions() to set the dimensions
Fixes: OOM
Fixes: 1671/clusterfuzz-testcase-minimized-4759078033162240
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit e434840fd4b3c854beec845f950b80bc1bf93b60)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=08375d37be071518526fc9001f07ecb32336268a
---
libavcodec/mimic.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c
index ce649c602a..b77171a822 100644
--- a/libavcodec/mimic.c
+++ b/libavcodec/mimic.c
@@ -390,9 +390,11 @@ static int mimic_decode_frame(AVCodecContext *avctx, void
*data,
return AVERROR_INVALIDDATA;
}
+res = ff_set_dimensions(avctx, width, height);
+if (res < 0)
+return res;
+
ctx->avctx = avctx;
-avctx->width = width;
-avctx->height = height;
avctx->pix_fmt = AV_PIX_FMT_YUV420P;
for (i = 0; i < 3; i++) {
ctx->num_vblocks[i] = AV_CEIL_RSHIFT(height, 3 + !!i);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Fri May 19 12:25:52 2017 +0200| [51a80d0f71650d9d71f01e913f428a5534c494fc] |
committer: Michael Niedermayer
avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too
large for 32-bit type 'int'
Fixes: 1681/clusterfuzz-testcase-minimized-5970545365483520
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 3fb104f4476ad238e2ca768e9b80dc314e6e856d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=51a80d0f71650d9d71f01e913f428a5534c494fc
---
libavcodec/aacsbr_fixed.c | 8
1 file changed, 8 insertions(+)
diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c
index b26314a7eb..480062dfcc 100644
--- a/libavcodec/aacsbr_fixed.c
+++ b/libavcodec/aacsbr_fixed.c
@@ -288,6 +288,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
shift = a00.exp;
if (shift >= 3)
alpha0[k][0] = 0x7fff;
+else if (shift <= -30)
+alpha0[k][0] = 0;
else {
a00.mant <<= 1;
shift = 2-shift;
@@ -302,6 +304,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
shift = a01.exp;
if (shift >= 3)
alpha0[k][1] = 0x7fff;
+else if (shift <= -30)
+alpha0[k][1] = 0;
else {
a01.mant <<= 1;
shift = 2-shift;
@@ -315,6 +319,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
shift = a10.exp;
if (shift >= 3)
alpha1[k][0] = 0x7fff;
+else if (shift <= -30)
+alpha1[k][0] = 0;
else {
a10.mant <<= 1;
shift = 2-shift;
@@ -329,6 +335,8 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp,
shift = a11.exp;
if (shift >= 3)
alpha1[k][1] = 0x7fff;
+else if (shift <= -30)
+alpha1[k][1] = 0;
else {
a11.mant <<= 1;
shift = 2-shift;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 21 00:06:10 2017 +0200| [1476c1b2c751d86b136498ca38e97d40569d1b16] |
committer: Michael Niedermayer
avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too
large for 32-bit type 'int'
Fixes part of 1709/clusterfuzz-testcase-minimized-4513580554649600
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6310fc714de3cd73848416ead73228fcef8b6dc0)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1476c1b2c751d86b136498ca38e97d40569d1b16
---
libavcodec/aacsbr_fixed.c | 25 +++--
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c
index 480062dfcc..01f81afaaa 100644
--- a/libavcodec/aacsbr_fixed.c
+++ b/libavcodec/aacsbr_fixed.c
@@ -575,20 +575,25 @@ static void sbr_hf_assemble(int Y1[38][64][2],
SoftFloat *in = sbr->s_m[e];
for (m = 0; m+1 < m_max; m+=2) {
- shift = 22 - in[m ].exp;
- round = 1 << (shift-1);
- out[2*m ] += (in[m ].mant * A + round) >> shift;
+shift = 22 - in[m ].exp;
+if (shift < 32) {
+round = 1 << (shift-1);
+out[2*m ] += (in[m ].mant * A + round) >> shift;
+}
- shift = 22 - in[m+1].exp;
- round = 1 << (shift-1);
- out[2*m+2] += (in[m+1].mant * B + round) >> shift;
+shift = 22 - in[m+1].exp;
+if (shift < 32) {
+round = 1 << (shift-1);
+out[2*m+2] += (in[m+1].mant * B + round) >> shift;
+}
}
if(m_max&1)
{
- shift = 22 - in[m ].exp;
- round = 1 << (shift-1);
-
- out[2*m ] += (in[m ].mant * A + round) >> shift;
+shift = 22 - in[m ].exp;
+if (shift < 32) {
+round = 1 << (shift-1);
+out[2*m ] += (in[m ].mant * A + round) >> shift;
+}
}
}
indexnoise = (indexnoise + m_max) & 0x1ff;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 21 02:42:12 2017 +0200| [eee33987ec7792173cb0a3263cc043864d44] |
committer: Michael Niedermayer
avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128
cannot be represented in type 'int'
Fixes: 1711/clusterfuzz-testcase-minimized-5248503515185152
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 1d04fc94e1021b70e542dc01a48b8398c6fc6325)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eee33987ec7792173cb0a3263cc043864d44
---
libavcodec/mlpdsp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c
index 2fc453c1f0..fbafa92d72 100644
--- a/libavcodec/mlpdsp.c
+++ b/libavcodec/mlpdsp.c
@@ -114,7 +114,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) {
int mat_ch = ch_assign[out_ch];
int32_t sample = sample_buffer[i][mat_ch] *
- (1 << output_shift[mat_ch]);
+ (1U << output_shift[mat_ch]);
lossless_check_data ^= (sample & 0xff) << mat_ch;
if (is32)
*data_32++ = sample << 8;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context
ffmpeg | branch: release/3.1 | Michael Niedermayer | Sat May 20 01:23:01 2017 +0200| [b526aed4d580983af25d8210dd5c65dde01255f8] | committer: Michael Niedermayer avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context Fixes: runtime error: index 8 out of bounds for type 'uint8_t [8]' Fixes: 1699/clusterfuzz-testcase-minimized-6327177438035968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 64ea4d102a070b95832ae4a751688f87da7760a2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b526aed4d580983af25d8210dd5c65dde01255f8 --- libavcodec/mlpdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 5426712007..eac19a0d5e 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -729,6 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); +s->num_primitive_matrices = 0; return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer | Thu May 18 17:13:18 2017 +0200| [3a69d5d3f01d407b9c8fc58c31fc53f93b8e31a1] | committer: Michael Niedermayer avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' Fixes: 1669/clusterfuzz-testcase-minimized-5287529198649344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a173f484b52ed63292439de5347e49bd78cad0ed) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3a69d5d3f01d407b9c8fc58c31fc53f93b8e31a1 --- libavcodec/fic.c | 32 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 1e28f59d83..2c11515459 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -88,22 +88,22 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; -const int t4 = 5793 * (t2 + t0 + 0x800 >> 12); -const int t5 = 5793 * (t3 + t1 + 0x800 >> 12); -const int t6 = t2 - t0; -const int t7 = t3 - t1; -const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; -const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; -const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; -const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; -blk[0 * step] = ( t4 + t9 + tB) >> shift; -blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; -blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; -blk[3 * step] = ( t5 - t9 + tB) >> shift; -blk[4 * step] = ( -t5 - t9 + tB) >> shift; -blk[5 * step] = (-(t6 - t7) - t8 + tA) >> shift; -blk[6 * step] = (-(t6 + t7) + t8 + tA) >> shift; -blk[7 * step] = ( -t4 + t9 + tB) >> shift; +const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); +const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); +const unsigned t6 = t2 - t0; +const unsigned t7 = t3 - t1; +const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; +const unsigned t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; +const unsigned tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; +const unsigned tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; +blk[0 * step] = (int)( t4 + t9 + tB) >> shift; +blk[1 * step] = (int)( t6 + t7 + t8 + tA) >> shift; +blk[2 * step] = (int)( t6 - t7 - t8 + tA) >> shift; +blk[3 * step] = (int)( t5 - t9 + tB) >> shift; +blk[4 * step] = (int)( -t5 - t9 + tB) >> shift; +blk[5 * step] = (int)(-(t6 - t7) - t8 + tA) >> shift; +blk[6 * step] = (int)(-(t6 + t7) + t8 + tA) >> shift; +blk[7 * step] = (int)( -t4 + t9 + tB) >> shift; } static void fic_idct_put(uint8_t *dst, int stride, int16_t *block) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 21 01:43:04 2017 +0200| [4b5920e493023ac75d48aca72c5ea752825f2a56] |
committer: Michael Niedermayer
avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be
represented in type 'int'
Fixes: part of 1709/clusterfuzz-testcase-minimized-4513580554649600
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 384508b2ff69bc3fad1e1c2e7de0dcd0913c6208)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4b5920e493023ac75d48aca72c5ea752825f2a56
---
libavcodec/sbrdsp_fixed.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c
index f4e3de0c71..924da83c85 100644
--- a/libavcodec/sbrdsp_fixed.c
+++ b/libavcodec/sbrdsp_fixed.c
@@ -229,11 +229,11 @@ static void sbr_hf_gen_c(int (*X_high)[2], const int
(*X_low)[2],
static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2],
const SoftFloat *g_filt, int m_max, intptr_t ixh)
{
-int m, r;
+int m;
int64_t accu;
for (m = 0; m < m_max; m++) {
-r = 1 << (22-g_filt[m].exp);
+int64_t r = 1LL << (22-g_filt[m].exp);
accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7);
Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp));
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aac_defines: Fix: runtime error: left shift of negative value -2
ffmpeg | branch: release/3.1 | Michael Niedermayer | Sun May 21 02:51:04 2017 +0200| [87de89ac7856598cfb7bd3b74387c68defa517e6] | committer: Michael Niedermayer avcodec/aac_defines: Fix: runtime error: left shift of negative value -2 Fixes: 1716/clusterfuzz-testcase-minimized-4691012196761600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3547dcbc326474745f02a618e01848a293f3f92) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=87de89ac7856598cfb7bd3b74387c68defa517e6 --- libavcodec/aac_defines.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index c12dc2fab7..0ea667e77b 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -45,7 +45,7 @@ typedef int AAC_SIGNE; #define Q30(x) (int)((x)*1073741824.0 + 0.5) #define Q31(x) (int)((x)*2147483648.0 + 0.5) #define RANGE15(x) x -#define GET_GAIN(x, y) (-(y) << (x)) + 1024 +#define GET_GAIN(x, y) (-(y) * (1 << (x))) + 1024 #define AAC_MUL16(x, y) (int)(((int64_t)(x) * (y) + 0x8000) >> 16) #define AAC_MUL26(x, y) (int)(((int64_t)(x) * (y) + 0x200) >> 26) #define AAC_MUL30(x, y) (int)(((int64_t)(x) * (y) + 0x2000) >> 30) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/takdec: Fix runtime error: left shift of negative value -63
ffmpeg | branch: release/3.1 | Michael Niedermayer | Sun May 21 02:46:55 2017 +0200| [56ce2cae385e2de3b6f7618c28cb28ce7a87d012] | committer: Michael Niedermayer avcodec/takdec: Fix runtime error: left shift of negative value -63 Fixes: 1713/clusterfuzz-testcase-minimized-5791887476654080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d66193252b4067144f11211f8f3e1d5a50146235) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=56ce2cae385e2de3b6f7618c28cb28ce7a87d012 --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index f556c5baa1..b438ae43b3 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -860,7 +860,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) -decoded[i] <<= s->sample_shift[chan]; +decoded[i] *= 1 << s->sample_shift[chan]; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 21 21:49:54 2017 +0200| [a8fb8cd716dfe29a113068f9e3ded58912dcebfb] |
committer: Michael Niedermayer
avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560
cannot be represented in type 'int'
Fixes: 1724/clusterfuzz-testcase-minimized-4842395432648704
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 40fa6a2fa2c255293a780a194eecae5df52644a1)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a8fb8cd716dfe29a113068f9e3ded58912dcebfb
---
libavcodec/mjpegdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index d7ef0067b5..ba0e714f2b 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -734,7 +734,7 @@ static int decode_dc_progressive(MJpegDecodeContext *s,
int16_t *block,
int component, int dc_index,
int16_t *quant_matrix, int Al)
{
-int val;
+unsigned val;
s->bdsp.clear_block(block);
val = mjpeg_decode_dc(s, dc_index);
if (val == 0xf) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Wed May 17 00:07:02 2017 +0200| [e6d6363eb30dfdf3c4aeb3f269ee63a91a79b042] |
committer: Michael Niedermayer
avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308
cannot be represented in type 'int'
Fixes: 1630/clusterfuzz-testcase-minimized-6326111917047808
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 955db411929a9876d3cd016fbbb9c49b6362feba)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e6d6363eb30dfdf3c4aeb3f269ee63a91a79b042
---
libavcodec/takdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c
index b438ae43b3..a05b50ac5c 100644
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -265,11 +265,11 @@ static int decode_segment(TAKDecContext *s, int8_t mode,
int32_t *decoded, int l
code = xcodes[mode - 1];
for (i = 0; i < len; i++) {
-int x = get_bits_long(gb, code.init);
+unsigned x = get_bits_long(gb, code.init);
if (x >= code.escape && get_bits1(gb)) {
x |= 1 << code.init;
if (x >= code.aescape) {
-int scale = get_unary(gb, 1, 9);
+unsigned scale = get_unary(gb, 1, 9);
if (scale == 9) {
int scale_bits = get_bits(gb, 3);
if (scale_bits > 0) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 21 16:53:55 2017 +0200| [9a680966d1be0305855bfa4a5cee7cbbe1bbf218] |
committer: Michael Niedermayer
avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for
32-bit type 'int'
Fixes: 1721/clusterfuzz-testcase-minimized-4719352135811072
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit b5228e44c7f3a5eba537c8a39a45cfbf2961a28d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9a680966d1be0305855bfa4a5cee7cbbe1bbf218
---
libavcodec/aacdec_fixed.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index 1b5e8aa326..33f959070c 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -207,7 +207,11 @@ static void noise_scale(int *coefs, int scale, int
band_energy, int len)
c /= band_energy;
s = 21 + nlz - (s >> 2);
-if (s > 0) {
+if (s > 31) {
+for (i=0; i 0) {
round = 1 << (s-1);
for (i=0; i> 32);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vmnc: Check location before use
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 21 13:22:16 2017 +0200| [859188863b9d54362a291b52bee7ce0b953cffc2] |
committer: Michael Niedermayer
avcodec/vmnc: Check location before use
Fixes: runtime error: signed integer overflow: 65535 * 64256 cannot be
represented in type 'int'
Fixes: 1717/clusterfuzz-testcase-minimized-5491696676634624
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit ec2b76aab44f55be22eb12d86eb0dfd2eff68581)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=859188863b9d54362a291b52bee7ce0b953cffc2
---
libavcodec/vmnc.c | 18 ++
1 file changed, 6 insertions(+), 12 deletions(-)
diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c
index 49abb776f2..dfabfd394a 100644
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -374,6 +374,12 @@ static int decode_frame(AVCodecContext *avctx, void *data,
int *got_frame,
w = bytestream2_get_be16(gb);
h = bytestream2_get_be16(gb);
enc = bytestream2_get_be32(gb);
+if ((dx + w > c->width) || (dy + h > c->height)) {
+av_log(avctx, AV_LOG_ERROR,
+"Incorrect frame size: %ix%i+%ix%i of %ix%i\n",
+w, h, dx, dy, c->width, c->height);
+return AVERROR_INVALIDDATA;
+}
outptr = c->pic->data[0] + dx * c->bpp2 + dy * c->pic->linesize[0];
size_left = bytestream2_get_bytes_left(gb);
switch (enc) {
@@ -451,12 +457,6 @@ static int decode_frame(AVCodecContext *avctx, void *data,
int *got_frame,
bytestream2_skip(gb, 2);
break;
case 0x: // raw rectangle data
-if ((dx + w > c->width) || (dy + h > c->height)) {
-av_log(avctx, AV_LOG_ERROR,
- "Incorrect frame size: %ix%i+%ix%i of %ix%i\n",
- w, h, dx, dy, c->width, c->height);
-return AVERROR_INVALIDDATA;
-}
if (size_left < w * h * c->bpp2) {
av_log(avctx, AV_LOG_ERROR,
"Premature end of data! (need %i got %i)\n",
@@ -467,12 +467,6 @@ static int decode_frame(AVCodecContext *avctx, void *data,
int *got_frame,
c->pic->linesize[0]);
break;
case 0x0005: // HexTile encoded rectangle
-if ((dx + w > c->width) || (dy + h > c->height)) {
-av_log(avctx, AV_LOG_ERROR,
- "Incorrect frame size: %ix%i+%ix%i of %ix%i\n",
- w, h, dx, dy, c->width, c->height);
-return AVERROR_INVALIDDATA;
-}
res = decode_hextile(c, outptr, gb, w, h, c->pic->linesize[0]);
if (res < 0)
return res;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Check for multiple VOL headers
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 21 16:01:27 2017 +0200| [9ac7c504eaa44fcd75fbc8e731e81e61210fc11c] |
committer: Michael Niedermayer
avcodec/mpeg4videodec: Check for multiple VOL headers
Fixes multiple: runtime error: signed integer overflow: 2147115008 + 413696
cannot be represented in type 'int'
Fixes: 1723/clusterfuzz-testcase-minimized-5309409372667904
Fixes: 1727/clusterfuzz-testcase-minimized-5900685306494976
Fixes: 1737/clusterfuzz-testcase-minimized-5922321338466304
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit efeb47fd5d5cbf980e52a6d5e741c3c74b94b5e2)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9ac7c504eaa44fcd75fbc8e731e81e61210fc11c
---
libavcodec/mpeg4videodec.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 20d2171405..52ec688ce8 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2559,6 +2559,7 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx,
GetBitContext *gb)
MpegEncContext *s = &ctx->m;
unsigned startcode, v;
int ret;
+int vol = 0;
/* search next start code */
align_get_bits(gb);
@@ -2647,6 +2648,11 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx,
GetBitContext *gb)
}
if (startcode >= 0x120 && startcode <= 0x12F) {
+if (vol) {
+av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers");
+return AVERROR_INVALIDDATA;
+}
+vol++;
if ((ret = decode_vol_header(ctx, gb)) < 0)
return ret;
} else if (startcode == USER_DATA_STARTCODE) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeglsdec: Check get_bits_left() before decoding a picture
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Tue May 23 22:18:52 2017 +0200| [3b67878ab4f6598b3af46ec9d10f1f11244084ca] |
committer: Michael Niedermayer
avcodec/jpeglsdec: Check get_bits_left() before decoding a picture
Signed-off-by: Michael Niedermayer
(cherry picked from commit 4bc3008d04451cd31818e21703ed7ed96b6ff074)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3b67878ab4f6598b3af46ec9d10f1f11244084ca
---
libavcodec/jpeglsdec.c | 4
1 file changed, 4 insertions(+)
diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 68151cbbd8..20b40445fd 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -385,6 +385,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int
near,
av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan
= %i\n",
ilv, point_transform, s->bits, s->cur_scan);
}
+if (get_bits_left(&s->gb) < s->height) {
+ret = AVERROR_INVALIDDATA;
+goto end;
+}
if (ilv == 0) { /* separate planes */
if (s->cur_scan > s->nb_components) {
ret = AVERROR_INVALIDDATA;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71
ffmpeg | branch: release/3.1 | Michael Niedermayer | Mon May 22 01:19:50 2017 +0200| [7b074e728d2402099107d283f6660400c2bdd550] | committer: Michael Niedermayer avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 Fixes: 1734/clusterfuzz-testcase-minimized-5385630815092736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8fb00b3e858b7a5aeccfe6bdfc10290c2121c3ec) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7b074e728d2402099107d283f6660400c2bdd550 --- libavcodec/ivi_dsp.c | 30 +++--- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 9e41269c3b..1ea039f0e8 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -116,10 +116,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b0_2 = b0_ptr[pitch+indx+1]; tmp1 = tmp0 + b0_1; -p0 = tmp0 << 4; -p1 = tmp1 << 3; -p2 = (tmp0 + tmp2) << 3; -p3 = (tmp1 + tmp2 + b0_2) << 2; +p0 = tmp0 * 16; +p1 = tmp1 * 8; +p2 = (tmp0 + tmp2) * 8; +p3 = (tmp1 + tmp2 + b0_2) * 4; } /* process the HL-band by applying HPF vertically and LPF horizontally */ @@ -132,10 +132,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp2 = tmp1 - tmp0*6 + b1_3; b1_3 = b1_1 - b1_2*6 + b1_ptr[pitch+indx+1]; -p0 += (tmp0 + tmp1) << 3; -p1 += (tmp0 + tmp1 + b1_1 + b1_2) << 2; -p2 += tmp2 << 2; -p3 += (tmp2 + b1_3) << 1; +p0 += (tmp0 + tmp1) * 8; +p1 += (tmp0 + tmp1 + b1_1 + b1_2) * 4; +p2 += tmp2 * 4; +p3 += (tmp2 + b1_3) * 2; } /* process the LH-band by applying LPF vertically and HPF horizontally */ @@ -146,10 +146,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp0 = b2_1 + b2_2; tmp1 = b2_1 - b2_2*6 + b2_3; -p0 += tmp0 << 3; -p1 += tmp1 << 2; -p2 += (tmp0 + b2_4 + b2_5) << 2; -p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) << 1; +p0 += tmp0 * 8; +p1 += tmp1 * 4; +p2 += (tmp0 + b2_4 + b2_5) * 4; +p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) * 2; } /* process the HH-band by applying HPF both vertically and horizontally */ @@ -163,9 +163,9 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b3_9 = b3_3 - b3_6*6 + b3_ptr[pitch+indx+1]; -p0 += (tmp0 + tmp1) << 2; -p1 += (tmp0 - tmp1*6 + tmp2) << 1; -p2 += (b3_7 + b3_8) << 1; +p0 += (tmp0 + tmp1) * 4; +p1 += (tmp0 - tmp1*6 + tmp2) * 2; +p2 += (b3_7 + b3_8) * 2; p3 += b3_7 - b3_8*6 + b3_9; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Check tile offsets
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Wed May 24 19:40:42 2017 +0200| [b3f8d3880002ab934f7afdf7d96001dbee6afe4e] |
committer: Michael Niedermayer
avcodec/jpeg2000dec: Check tile offsets
Fixes: runtime error: signed integer overflow: 4096 - -2147483648 cannot be
represented in type 'int'
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 89325417e7b33f4b08171d9d609c48662d96b2d3)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b3f8d3880002ab934f7afdf7d96001dbee6afe4e
---
libavcodec/jpeg2000dec.c | 8
1 file changed, 8 insertions(+)
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index e9f5f51af3..b320c41c3a 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -298,6 +298,14 @@ static int get_siz(Jpeg2000DecoderContext *s)
return AVERROR_PATCHWELCOME;
}
+if (s->tile_offset_x < 0 || s->tile_offset_y < 0 ||
+s->image_offset_x < s->tile_offset_x ||
+s->image_offset_y < s->tile_offset_y) {
+av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n",
+ s->ncomponents);
+return AVERROR_INVALIDDATA;
+}
+
s->ncomponents = ncomponents;
if (s->tile_width <= 0 || s->tile_height <= 0) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Fix copy and paste error
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Thu May 25 11:11:33 2017 +0200| [5202bef67aadf67af4e276998470658ad40f7541] |
committer: Michael Niedermayer
avcodec/jpeg2000dec: Fix copy and paste error
Found-by: jamrial
Signed-off-by: Michael Niedermayer
(cherry picked from commit 5782e0ba8cc30bb08a806cdeda1adfb89a0556b4)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5202bef67aadf67af4e276998470658ad40f7541
---
libavcodec/jpeg2000dec.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index b320c41c3a..fca7740b5d 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -301,8 +301,7 @@ static int get_siz(Jpeg2000DecoderContext *s)
if (s->tile_offset_x < 0 || s->tile_offset_y < 0 ||
s->image_offset_x < s->tile_offset_x ||
s->image_offset_y < s->tile_offset_y) {
-av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n",
- s->ncomponents);
+av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n");
return AVERROR_INVALIDDATA;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/sanm: Fix uninitialized reference frames
ffmpeg | branch: release/3.1 | Max Justicz | Wed May 24 15:25:50
2017 +0200| [1d35eda0b2c59f742512f39f1ddeabf662fc69bf] | committer: Michael
Niedermayer
avcodec/sanm: Fix uninitialized reference frames
Fixes: poc.snm
Signed-off-by: Michael Niedermayer
(cherry picked from commit ca616b0f72c65b0ef5f9e1e6125698b15f50a26e)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1d35eda0b2c59f742512f39f1ddeabf662fc69bf
---
libavcodec/sanm.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index 1aa002b6a5..065bf7aca1 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -462,11 +462,11 @@ static void destroy_buffers(SANMVideoContext *ctx)
static av_cold int init_buffers(SANMVideoContext *ctx)
{
-av_fast_padded_malloc(&ctx->frm0, &ctx->frm0_size, ctx->buf_size);
-av_fast_padded_malloc(&ctx->frm1, &ctx->frm1_size, ctx->buf_size);
-av_fast_padded_malloc(&ctx->frm2, &ctx->frm2_size, ctx->buf_size);
+av_fast_padded_mallocz(&ctx->frm0, &ctx->frm0_size, ctx->buf_size);
+av_fast_padded_mallocz(&ctx->frm1, &ctx->frm1_size, ctx->buf_size);
+av_fast_padded_mallocz(&ctx->frm2, &ctx->frm2_size, ctx->buf_size);
if (!ctx->version)
-av_fast_padded_malloc(&ctx->stored_frame,
+av_fast_padded_mallocz(&ctx->stored_frame,
&ctx->stored_frame_size, ctx->buf_size);
if (!ctx->frm0 || !ctx->frm1 || !ctx->frm2 ||
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/smc: Check remaining input
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Thu May 25 20:07:49 2017 +0200| [e383baee9c665163c3a35847e5b555cc94206e95] |
committer: Michael Niedermayer
avcodec/smc: Check remaining input
Fixes: Timeout
Fixes: 1818/clusterfuzz-testcase-minimized-5039166473633792
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 356194fcb17375de2472f4cbff6ede48d6a374b2)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e383baee9c665163c3a35847e5b555cc94206e95
---
libavcodec/smc.c | 4
1 file changed, 4 insertions(+)
diff --git a/libavcodec/smc.c b/libavcodec/smc.c
index 69d78ad1d1..bb5f808da2 100644
--- a/libavcodec/smc.c
+++ b/libavcodec/smc.c
@@ -132,6 +132,10 @@ static void smc_decode_stream(SmcContext *s)
row_ptr, image_size);
return;
}
+if (bytestream2_get_bytes_left(&s->gb) < 1) {
+av_log(s->avctx, AV_LOG_ERROR, "input too small\n");
+return;
+}
opcode = bytestream2_get_byte(&s->gb);
switch (opcode & 0xF0) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/internal: Do not enable CHECKED with DEBUG
ffmpeg | branch: release/3.1 | Michael Niedermayer | Fri Apr 7 13:49:09 2017 +0200| [9aaadb1ee3eb276ba5dd4f9d0143895cc0f85432] | committer: Michael Niedermayer avutil/internal: Do not enable CHECKED with DEBUG This avoids potential undefined behavior in debug mode while still allowing developers which want to check for potential additional overflows to do so by manually enabling this. Reviewed-by: wm4 Signed-off-by: Michael Niedermayer (cherry picked from commit a44b3abb4cf922e379fbac55452d0482a8223597) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9aaadb1ee3eb276ba5dd4f9d0143895cc0f85432 --- libavutil/internal.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavutil/internal.h b/libavutil/internal.h index cc2d97dc52..e4da21b1b5 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,9 +30,8 @@ #define NDEBUG #endif -#if defined(DEBUG) && !defined(CHECKED) -#define CHECKED -#endif +// This can be enabled to allow detection of additional integer overflows with ubsan +//#define CHECKED #include #include ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer | Thu May 25 23:01:27 2017 +0200| [b77ce15e472256499606f415df269716929765ec] | committer: Michael Niedermayer avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 1825/clusterfuzz-testcase-minimized-6002833050566656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e87d146d798ca25d8f3a4520a6deb7946b39d73) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b77ce15e472256499606f415df269716929765ec --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 33f959070c..29a363dec8 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -187,7 +187,7 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) round = 1 << (s-1); for (i=0; i> s); -dst[i] = out * ssign; +dst[i] = out * (unsigned)ssign; } } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 03:03:46 2017 +0200| [8da4f91fca831d8d8e8e4aa257d4a2927a2af9e3] |
committer: Michael Niedermayer
avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2
Fixes: 1839/clusterfuzz-testcase-minimized-6238490993885184
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 357f2316a08478a4442e8051978c7b161e10281c)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8da4f91fca831d8d8e8e4aa257d4a2927a2af9e3
---
libavcodec/ivi_dsp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c
index 1ea039f0e8..a57d09e0fb 100644
--- a/libavcodec/ivi_dsp.c
+++ b/libavcodec/ivi_dsp.c
@@ -393,8 +393,8 @@ void ff_ivi_inverse_haar_4x4(const int32_t *in, int16_t
*out, uint32_t pitch,
if (flags[i]) {
/* pre-scaling */
shift = !(i & 2);
-sp1 = src[0] << shift;
-sp2 = src[4] << shift;
+sp1 = src[0] * (1 << shift);
+sp2 = src[4] * (1 << shift);
INV_HAAR4( sp1,sp2, src[8], src[12],
dst[0], dst[4], dst[8], dst[12],
t0, t1, t2, t3, t4);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mux: Fix copy an paste typo
ffmpeg | branch: release/3.1 | Michael Niedermayer | Fri May 26 18:01:31 2017 +0200| [162ad001b834568ca96f28af21633919a3e9b0df] | committer: Michael Niedermayer avformat/mux: Fix copy an paste typo Found-by: Roger Scott Signed-off-by: Michael Niedermayer (cherry picked from commit 1a36354698fc0453ba4d337786d2cb4d3e374cfb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=162ad001b834568ca96f28af21633919a3e9b0df --- libavformat/mux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mux.c b/libavformat/mux.c index a447645198..221ec7ffdc 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -697,7 +697,7 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_WARNING, "failed to avoid negative " "pts %s in stream %d.\n" "Try -avoid_negative_ts 1 as a possible workaround.\n", -av_ts2str(pkt->dts), +av_ts2str(pkt->pts), pkt->stream_index ); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ra144dec: Fix runtime error: left shift of negative value -17
ffmpeg | branch: release/3.1 | Michael Niedermayer | Sat May 27 13:07:00 2017 +0200| [4354def5efb7b5fcad6295b38b0624d9a5b295a4] | committer: Michael Niedermayer avcodec/ra144dec: Fix runtime error: left shift of negative value -17 Fixes: 1830/clusterfuzz-testcase-minimized-5828293733384192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53c0c637d36c1de9ea461a8d863e8703da090894) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4354def5efb7b5fcad6295b38b0624d9a5b295a4 --- libavcodec/ra144dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144dec.c b/libavcodec/ra144dec.c index 3eed17c0da..c716c32e67 100644 --- a/libavcodec/ra144dec.c +++ b/libavcodec/ra144dec.c @@ -113,7 +113,7 @@ static int ra144_decode_frame(AVCodecContext * avctx, void *data, do_output_subblock(ractx, block_coefs[i], refl_rms[i], &gb); for (j=0; j < BLOCKSIZE; j++) -*samples++ = av_clip_int16(ractx->curr_sblock[j + 10] << 2); +*samples++ = av_clip_int16(ractx->curr_sblock[j + 10] * (1 << 2)); } ractx->old_energy = energy; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/libfdk-aacdec: Correct buffer_size parameter
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Thu May 25 03:21:50 2017 +0200| [1c0524da00f06acef67465164512c251402c8bce] |
committer: Michael Niedermayer
avcodec/libfdk-aacdec: Correct buffer_size parameter
the timeDataSize argument to aacDecoder_DecodeFrame() seems undocumented and
until
2016 04 (203e3f28fbebec7011342017fafc2a0bda0ce530) unused.
after that commit libfdk-aacdec interprets it as size in sample units and
memsets that on error.
FFmpeg as well as others (like GStreamer) did interpret it as size in bytes
Fixes: 1442/clusterfuzz-testcase-minimized-4540199973421056 (This requires
recent libfdk to reproduce)
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit ca6776a993903dbcfef5ae8a18556c40ecf83e1c)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1c0524da00f06acef67465164512c251402c8bce
---
libavcodec/libfdk-aacdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/libfdk-aacdec.c b/libavcodec/libfdk-aacdec.c
index e5f7c4ebdc..2857b9453f 100644
--- a/libavcodec/libfdk-aacdec.c
+++ b/libavcodec/libfdk-aacdec.c
@@ -325,7 +325,7 @@ static int fdk_aac_decode_frame(AVCodecContext *avctx, void
*data,
return AVERROR_INVALIDDATA;
}
-err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer,
s->decoder_buffer_size, 0);
+err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer,
s->decoder_buffer_size / sizeof(INT_PCM), 0);
if (err == AAC_DEC_NOT_ENOUGH_BITS) {
ret = avpkt->size - valid;
goto end;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] doc/filters: Clarify scale2ref example
ffmpeg | branch: release/3.1 | Kevin Mark | Sat May 27 10:10:46 2017 -0400| [5aaec845738ba401a97eae4fb16955610f30b1d8] | committer: Michael Niedermayer doc/filters: Clarify scale2ref example Signed-off-by: Kevin Mark Signed-off-by: Michael Niedermayer (cherry picked from commit 114e8716214d414d7965029ae5fe74668ed69e4a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5aaec845738ba401a97eae4fb16955610f30b1d8 --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index b482236e10..92f541de93 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -11514,7 +11514,7 @@ uses the reference video instead of the main input as basis. @itemize @item -Scale a subtitle stream to match the main video in size before overlaying +Scale a subtitle stream (b) to match the main video (a) in size before overlaying @example 'scale2ref[b][a];[a][b]overlay' @end example ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wnv1: More strict buffer size check
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 03:18:02 2017 +0200| [f4ff72cde6fc542cd653779e4279eb28732f0a38] |
committer: Michael Niedermayer
avcodec/wnv1: More strict buffer size check
This requires at least 25% of a picture to allocate and decode it
Fixes: Timeout
Fixes: 1845/clusterfuzz-testcase-minimized-5075974343360512
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 7f50c25124a015a539823077bb302ff0c7ce8963)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f4ff72cde6fc542cd653779e4279eb28732f0a38
---
libavcodec/wnv1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c
index 126c01a02d..915e9c7dc9 100644
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx,
int prev_y = 0, prev_u = 0, prev_v = 0;
uint8_t *rbuf;
-if (buf_size <= 8) {
+if (buf_size < 8 + avctx->height * (avctx->width/2)/8) {
av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size);
return AVERROR_INVALIDDATA;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Tue May 23 21:08:48 2017 +0200| [9ff9355b84977bba806fdaa979e19a90898f54d4] |
committer: Michael Niedermayer
avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297
+ 1315389781 cannot be represented in type 'int'
Fixes: 1770/clusterfuzz-testcase-minimized-5285511235108864
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 7c36ee216f1e668e2c2af1573bd9dbbb2a501f48)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9ff9355b84977bba806fdaa979e19a90898f54d4
---
libavcodec/sbrdsp_template.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/libavcodec/sbrdsp_template.c b/libavcodec/sbrdsp_template.c
index b649dfd7ee..897a3bbffb 100644
--- a/libavcodec/sbrdsp_template.c
+++ b/libavcodec/sbrdsp_template.c
@@ -33,8 +33,13 @@ static void sbr_qmf_deint_bfly_c(INTFLOAT *v, const INTFLOAT
*src0, const INTFLO
{
int i;
for (i = 0; i < 64; i++) {
-v[ i] = AAC_SRA_R((src0[i] - src1[63 - i]), 5);
-v[127 - i] = AAC_SRA_R((src0[i] + src1[63 - i]), 5);
+#if USE_FIXED
+v[ i] = (int)(0x10U + src0[i] - src1[63 - i]) >> 5;
+v[127 - i] = (int)(0x10U + src0[i] + src1[63 - i]) >> 5;
+#else
+v[ i] = src0[i] - src1[63 - i];
+v[127 - i] = src0[i] + src1[63 - i];
+#endif
}
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sat May 27 13:17:34 2017 +0200| [f71d15f04fef53a870f8f00233edcb4fbb461580] |
committer: Michael Niedermayer
avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error
Fixes: runtime error: index 12 out of bounds for type 'uint8_t [8]'
Fixes: 1832/clusterfuzz-testcase-minimized-6574546079449088
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit ac8dfcbd89a818b786d05ebc1af70f7bf6aeb86e)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f71d15f04fef53a870f8f00233edcb4fbb461580
---
libavcodec/mlpdec.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index eac19a0d5e..f60f14cc71 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -729,8 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned
int substr, GetBitCo
av_log(m->avctx, AV_LOG_ERROR,
"Number of primitive matrices cannot be greater than %d.\n",
max_primitive_matrices);
-s->num_primitive_matrices = 0;
-return AVERROR_INVALIDDATA;
+goto error;
}
for (mat = 0; mat < s->num_primitive_matrices; mat++) {
@@ -743,12 +742,12 @@ static int read_matrix_params(MLPDecodeContext *m,
unsigned int substr, GetBitCo
av_log(m->avctx, AV_LOG_ERROR,
"Invalid channel %d specified as output from matrix.\n",
s->matrix_out_ch[mat]);
-return AVERROR_INVALIDDATA;
+goto error;
}
if (frac_bits > 14) {
av_log(m->avctx, AV_LOG_ERROR,
"Too many fractional bits specified.\n");
-return AVERROR_INVALIDDATA;
+goto error;
}
max_chan = s->max_matrix_channel;
@@ -770,6 +769,11 @@ static int read_matrix_params(MLPDecodeContext *m,
unsigned int substr, GetBitCo
}
return 0;
+error:
+s->num_primitive_matrices = 0;
+memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch));
+
+return AVERROR_INVALIDDATA;
}
/** Read channel parameters. */
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 03:34:09 2017 +0200| [cadb2d590dc926601e2025036038ee427f26a6c2] |
committer: Michael Niedermayer
avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too
large for 32-bit type 'int'
Fixes: 1851/clusterfuzz-testcase-minimized-5692607495667712
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6c3a63fc3d1be7ac947e38a165a299c9e5d37764)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cadb2d590dc926601e2025036038ee427f26a6c2
---
libavcodec/aacdec_fixed.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index 29a363dec8..b78a27a236 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -370,7 +370,9 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
shift = (gain-1024) >> 3;
}
-if (shift < 0) {
+if (shift < -31) {
+// Nothing to do
+} else if (shift < 0) {
shift = -shift;
round = 1 << (shift - 1);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 14:00:30 2017 +0200| [ed1a66821382586c80799c1fc625419a567b5c82] |
committer: Michael Niedermayer
avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394
cannot be represented in type 'int'
Fixes: 1870/clusterfuzz-testcase-minimized-4686788029317120
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 781f88bb26534ececc76eaa972f02536ba2f0f55)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ed1a66821382586c80799c1fc625419a567b5c82
---
libavcodec/jpeg2000.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h
index ed3b421ad8..873e4505ec 100644
--- a/libavcodec/jpeg2000.h
+++ b/libavcodec/jpeg2000.h
@@ -220,7 +220,7 @@ static inline int ff_jpeg2000_ceildivpow2(int a, int b)
static inline int ff_jpeg2000_ceildiv(int a, int b)
{
-return (a + b - 1) / b;
+return (a + (int64_t)b - 1) / b;
}
/* TIER-1 routines */
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 17:12:35 2017 +0200| [b778eb8d64c2143eef04d470e76f2a701bdc2b32] |
committer: Michael Niedermayer
avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 +
1086573994 cannot be represented in type 'int'
Fixes: 1871/clusterfuzz-testcase-minimized-5719950331215872
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit b9c032ebc0ad17ac0ffefb915ff96baf9d79cab1)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b778eb8d64c2143eef04d470e76f2a701bdc2b32
---
libavcodec/snow.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/snow.h b/libavcodec/snow.h
index 59c710b5f9..f7ed1f82e7 100644
--- a/libavcodec/snow.h
+++ b/libavcodec/snow.h
@@ -540,7 +540,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state,
int is_signed){
if(get_rac(c, state+0))
return 0;
else{
-int i, e, a;
+int i, e;
+unsigned a;
e= 0;
while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
e++;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/sheervideo: Check input buffer size before allocating and decoding
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 13:30:46 2017 +0200| [efa7ce36e372e458b534529bb7d0a21b89368ad6] |
committer: Michael Niedermayer
avcodec/sheervideo: Check input buffer size before allocating and decoding
Fixes: Timeout
Fixes: 1858/clusterfuzz-testcase-minimized-6450473802399744
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit d8030c14bd7ac983b81ebe898631979f6b5aea09)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=efa7ce36e372e458b534529bb7d0a21b89368ad6
---
libavcodec/sheervideo.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/libavcodec/sheervideo.c b/libavcodec/sheervideo.c
index 2f08b7bff0..5b03ce4431 100644
--- a/libavcodec/sheervideo.c
+++ b/libavcodec/sheervideo.c
@@ -3098,6 +3098,11 @@ static int decode_frame(AVCodecContext *avctx,
return AVERROR_PATCHWELCOME;
}
+if (avpkt->size < 20 + avctx->width * avctx->height / 16) {
+av_log(avctx, AV_LOG_ERROR, "Input packet too small\n");
+return AVERROR_INVALIDDATA;
+}
+
if (s->format != format) {
if (ret < 0)
return ret;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Check tile offsets more completely
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 13:52:13 2017 +0200| [c04d2b2f9ded653af6d3bf6064d767550bcc62eb] |
committer: Michael Niedermayer
avcodec/jpeg2000dec: Check tile offsets more completely
Signed-off-by: Michael Niedermayer
(cherry picked from commit 9c1812491f7be2730351969f4abd9b99d300d604)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c04d2b2f9ded653af6d3bf6064d767550bcc62eb
---
libavcodec/jpeg2000dec.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index fca7740b5d..6267629fad 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -300,7 +300,10 @@ static int get_siz(Jpeg2000DecoderContext *s)
if (s->tile_offset_x < 0 || s->tile_offset_y < 0 ||
s->image_offset_x < s->tile_offset_x ||
-s->image_offset_y < s->tile_offset_y) {
+s->image_offset_y < s->tile_offset_y ||
+s->tile_width + (int64_t)s->tile_offset_x <= s->image_offset_x ||
+s->tile_height + (int64_t)s->tile_offset_y <= s->image_offset_y
+) {
av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n");
return AVERROR_INVALIDDATA;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ylc: Check count in build_vlc()
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 17:20:42 2017 +0200| [41c6624c885c8ff0a921118b9d8af680d7acee4c] |
committer: Michael Niedermayer
avcodec/ylc: Check count in build_vlc()
Fixes: runtime error: signed integer overflow: 211633430 + 2147483647 cannot be
represented in type 'int'
Fixes: 1874/clusterfuzz-testcase-minimized-5037763613163520
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 67b30decf7793523f7fdaef6fdf7f1179ef42b18)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=41c6624c885c8ff0a921118b9d8af680d7acee4c
---
libavcodec/ylc.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavcodec/ylc.c b/libavcodec/ylc.c
index 95a5e05baa..1af880f4d4 100644
--- a/libavcodec/ylc.c
+++ b/libavcodec/ylc.c
@@ -108,7 +108,7 @@ static int build_vlc(AVCodecContext *avctx, VLC *vlc, const
uint32_t *table)
int new_node = j;
int first_node = cur_node;
int second_node = cur_node;
-int nd, st;
+unsigned nd, st;
nodes[cur_node].count = -1;
@@ -132,6 +132,10 @@ static int build_vlc(AVCodecContext *avctx, VLC *vlc,
const uint32_t *table)
st = nodes[first_node].count;
nodes[second_node].count = 0;
nodes[first_node].count = 0;
+if (nd >= UINT32_MAX - st) {
+av_log(avctx, AV_LOG_ERROR, "count overflow\n");
+return AVERROR_INVALIDDATA;
+}
nodes[cur_node].count = nd + st;
nodes[cur_node].sym = -1;
nodes[cur_node].n0 = cur_node;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro
ffmpeg | branch: release/3.1 | Michael Niedermayer | Sun May 28 20:08:49 2017 +0200| [78603ff0f9e0c717f3637f1442ef1d108e5d7d91] | committer: Michael Niedermayer avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro Fixes: runtime error: shift exponent 1073741848 is too large for 32-bit type 'INTFLOAT' (aka 'int') Fixes: 1880/clusterfuzz-testcase-minimized-4900645322620928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 872bac81590ccbec40ba7ad203421d9e38d1b253) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78603ff0f9e0c717f3637f1442ef1d108e5d7d91 --- libavcodec/aac_defines.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac_defines.h b/libavcodec/aac_defines.h index 0ea667e77b..3c79a8a4a1 100644 --- a/libavcodec/aac_defines.h +++ b/libavcodec/aac_defines.h @@ -72,7 +72,7 @@ typedef int AAC_SIGNE; #define AAC_MSUB31_V3(x, y, z)(int)int64_t)(x) * (z)) - \ ((int64_t)(y) * (z)) + \ 0x4000) >> 31) -#define AAC_HALF_SUM(x, y) (x) >> 1 + (y) >> 1 +#define AAC_HALF_SUM(x, y) (((x) >> 1) + ((y) >> 1)) #define AAC_SRA_R(x, y) (int)(((x) + (1 << ((y) - 1))) >> (y)) #else ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 18:09:47 2017 +0200| [228093ec9368dba09a33c1a3f15b5966b1d871e7] |
committer: Michael Niedermayer
avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be
represented in type 'int'
Fixes: 1878/clusterfuzz-testcase-minimized-6441918630199296
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6b9cb5d26a2d9905093621d12785bc5903dce66d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=228093ec9368dba09a33c1a3f15b5966b1d871e7
---
libavcodec/aacdec_fixed.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index b78a27a236..7945c46355 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -211,8 +211,8 @@ static void noise_scale(int *coefs, int scale, int
band_energy, int len)
for (i=0; i 0) {
-round = 1 << (s-1);
+} else if (s >= 0) {
+round = s ? 1 << (s-1) : 0;
for (i=0; i> 32);
coefs[i] = ((int)(out+round) >> s) * ssign;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/webp: Fixes null pointer dereference
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Wed May 10 18:37:50 2017 +0200| [f88fd9027c49f20ce0ff0b04658322314fac605e] |
committer: Michael Niedermayer
avcodec/webp: Fixes null pointer dereference
Fixes: 1470/clusterfuzz-testcase-minimized-5404421666111488
Fixes: 1472/clusterfuzz-testcase-minimized-5677426430443520
Fixes: 1875/clusterfuzz-testcase-minimized-5536474562822144
Approved-by: BBB
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 67020711b7d45afa073ef671f755765035a64373)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f88fd9027c49f20ce0ff0b04658322314fac605e
---
libavcodec/webp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index 04d898ee7b..6aa0e4aed8 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -1350,6 +1350,9 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx,
AVFrame *p,
if (ret < 0)
return ret;
+if (!*got_frame)
+return AVERROR_INVALIDDATA;
+
update_canvas_size(avctx, avctx->width, avctx->height);
if (s->has_alpha) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 21:38:24 2017 +0200| [37709a5f8205e7ed8ade812df66c6489404eb40d] |
committer: Michael Niedermayer
avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404
cannot be represented in type 'int'
Fixes: 1884/clusterfuzz-testcase-minimized-4637425835966464
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 4c472c52525fcab4c80cdbc98b4625d318c84fcb)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=37709a5f8205e7ed8ade812df66c6489404eb40d
---
libavcodec/ra144.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c
index 690f7ff3d6..4f8471d28a 100644
--- a/libavcodec/ra144.c
+++ b/libavcodec/ra144.c
@@ -1701,7 +1701,7 @@ void ff_subblock_synthesis(RA144Context *ractx, const
int16_t *lpc_coefs,
if (cba_idx) {
cba_idx += BLOCKSIZE/2 - 1;
ff_copy_and_dup(ractx->buffer_a, ractx->adapt_cb, cba_idx);
-m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * gval) >> 12;
+m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * (unsigned)gval) >> 12;
} else {
m[0] = 0;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/truemotion2: Fix passing null pointer to memset()
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 21:54:02 2017 +0200| [79f75b123b3416a824ae36c2c8a898a4dd1ee820] |
committer: Michael Niedermayer
avcodec/truemotion2: Fix passing null pointer to memset()
Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit c901627918ff7480c1bb6f9cae507ee2c7c933d8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79f75b123b3416a824ae36c2c8a898a4dd1ee820
---
libavcodec/truemotion2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 4f0e52dbf7..e6ae05f1d5 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -915,7 +915,8 @@ static int decode_frame(AVCodecContext *avctx,
buf_size - offset);
if (t < 0) {
int j = tm2_stream_order[i];
-memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]);
+if (l->tok_lens[j])
+memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]);
return t;
}
offset += t;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ansi: Fix frame memleak
ffmpeg | branch: release/3.1 | Michael Niedermayer | Mon May 29 14:07:33 2017 +0200| [f11bc174292fc6cea5aa35b25572eb45b057d236] | committer: Michael Niedermayer avcodec/ansi: Fix frame memleak Fixes: 1892/clusterfuzz-testcase-minimized-4519341733183488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e091b9b3c7859030f2896ca2ae96faa3afc694a1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f11bc174292fc6cea5aa35b25572eb45b057d236 --- libavcodec/ansi.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 19c88d8d51..8032aebe5e 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -80,10 +80,6 @@ static av_cold int decode_init(AVCodecContext *avctx) AnsiContext *s = avctx->priv_data; avctx->pix_fmt = AV_PIX_FMT_PAL8; -s->frame = av_frame_alloc(); -if (!s->frame) -return AVERROR(ENOMEM); - /* defaults */ s->font= avpriv_vga16_font; s->font_height = 16; @@ -98,6 +94,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height); return AVERROR(EINVAL); } + +s->frame = av_frame_alloc(); +if (!s->frame) +return AVERROR(ENOMEM); + return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer | Sun May 28 21:44:32 2017 +0200| [b31bb8a6142cea7a4e84450fe8c1dec8ee8eab4f] | committer: Michael Niedermayer avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' Fixes: 1885/clusterfuzz-testcase-minimized-5336328549957632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c845450d2daa0d066045cf94ab51cb496f1b824) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b31bb8a6142cea7a4e84450fe8c1dec8ee8eab4f --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 4f8471d28a..c869824e35 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1573,7 +1573,7 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif -bp1[j] = ((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * b) >> 12; +bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun May 28 21:54:02 2017 +0200| [e561676c55aa9d3745b5e30b41693a179cbee8d2] |
committer: Michael Niedermayer
avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be
represented in type 'int'
Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit c9e884f3d98df85bf7f2cf30d71877b22929fdcb)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e561676c55aa9d3745b5e30b41693a179cbee8d2
---
libavcodec/truemotion2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 245a32a8d7..4f0e52dbf7 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -272,7 +272,7 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id)
for (i = 0; i < d; i++) {
v = get_bits_long(&ctx->gb, mb);
if (v & (1 << (mb - 1)))
-ctx->deltas[stream_id][i] = v - (1 << mb);
+ctx->deltas[stream_id][i] = v - (1U << mb);
else
ctx->deltas[stream_id][i] = v;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer | Tue May 30 03:09:11 2017 +0200| [64168825dec02348010bce8ee664b2bdb6d66007] | committer: Michael Niedermayer avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' Fixes: 1894/clusterfuzz-testcase-minimized-4716739789062144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d90c5bf10559554d6f9cd1dfb90767b991b76d5d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=64168825dec02348010bce8ee664b2bdb6d66007 --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index f828fc725b..a679d424eb 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -548,7 +548,7 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) S = T + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10); else -S = T + ((s->decorr[i].weightA * A + 512) >> 10); +S = T + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); if (A && T) s->decorr[i].weightA -= T ^ A) >> 30) & 2) - 1) * s->decorr[i].delta; s->decorr[i].samplesA[j] = T = S; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Use ff_set_dimensions()
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Mon May 29 13:45:29 2017 +0200| [4ba6f68b27c2668943982d04c8bc624504c8375b] |
committer: Michael Niedermayer
avcodec/jpeg2000dec: Use ff_set_dimensions()
Fixes: OOM
Fixes: 1890/clusterfuzz-testcase-minimized-6329019509243904
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit f3da6fbff864e05e8871dd04222143abdee9e77b)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4ba6f68b27c2668943982d04c8bc624504c8375b
---
libavcodec/jpeg2000dec.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 6267629fad..b23e1678d5 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -260,6 +260,7 @@ static int get_siz(Jpeg2000DecoderContext *s)
uint32_t log2_chroma_wh = 0;
const enum AVPixelFormat *possible_fmts = NULL;
int possible_fmts_nb = 0;
+int ret;
if (bytestream2_get_bytes_left(&s->g) < 36) {
av_log(s->avctx, AV_LOG_ERROR, "Insufficient space for SIZ\n");
@@ -359,10 +360,13 @@ static int get_siz(Jpeg2000DecoderContext *s)
}
/* compute image size with reduction factor */
-s->avctx->width = ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x,
- s->reduction_factor);
-s->avctx->height = ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y,
- s->reduction_factor);
+ret = ff_set_dimensions(s->avctx,
+ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x,
+ s->reduction_factor),
+ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y,
+ s->reduction_factor));
+if (ret < 0)
+return ret;
if (s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_2K ||
s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_4K) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpack: Check float_shift
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Tue May 30 03:13:21 2017 +0200| [ea70971cbe9ffd23cfd0bf519280a131097f8979] |
committer: Michael Niedermayer
avcodec/wavpack: Check float_shift
Fixes: runtime error: shift exponent 40 is too large for 32-bit type 'unsigned
int'
Fixes: 1898/clusterfuzz-testcase-minimized-5970744880136192
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 4020b009d1e88ff10abd25fb768165afa546851d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ea70971cbe9ffd23cfd0bf519280a131097f8979
---
libavcodec/wavpack.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index a679d424eb..3bc345e797 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -872,6 +872,12 @@ static int wavpack_decode_block(AVCodecContext *avctx, int
block_no,
s->float_flag= bytestream2_get_byte(&gb);
s->float_shift = bytestream2_get_byte(&gb);
s->float_max_exp = bytestream2_get_byte(&gb);
+if (s->float_shift > 31) {
+av_log(avctx, AV_LOG_ERROR,
+ "Invalid FLOATINFO, shift = %d (> 31)\n",
s->float_shift);
+s->float_shift = 0;
+continue;
+}
got_float= 1;
bytestream2_skip(&gb, 1);
break;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float'
ffmpeg | branch: release/3.1 | Michael Niedermayer | Tue May 30 04:03:09 2017 +0200| [276eae8adc95c83ef0717376142af2e2f5b55d17] | committer: Michael Niedermayer avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' Fixes: 1902/clusterfuzz-testcase-minimized-4762451407011840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87bddba43b725d43767f2a387cdea0936ac1b549) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=276eae8adc95c83ef0717376142af2e2f5b55d17 --- libavcodec/acelp_pitch_delay.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/acelp_pitch_delay.c b/libavcodec/acelp_pitch_delay.c index 8ec1ba3a83..c345a99c81 100644 --- a/libavcodec/acelp_pitch_delay.c +++ b/libavcodec/acelp_pitch_delay.c @@ -135,7 +135,7 @@ float ff_amr_set_fixed_gain(float fixed_gain_factor, float fixed_mean_energy, ff_exp10(0.05 * (avpriv_scalarproduct_float_c(pred_table, prediction_error, 4) + energy_mean)) / -sqrtf(fixed_mean_energy); +sqrtf(fixed_mean_energy ? fixed_mean_energy : 1.0); // update quantified prediction error energy history memmove(&prediction_error[0], &prediction_error[1], ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/avidec: Limit formats in gab2 to srt and ass/ssa
ffmpeg | branch: release/3.1 | Michael Niedermayer | Tue May 30 21:29:20 2017 +0200| [39c729c375a67eb87d420e2079a003af6f0c7bf2] | committer: Michael Niedermayer avformat/avidec: Limit formats in gab2 to srt and ass/ssa This prevents part of one exploit leading to an information leak Found-by: Emil Lerner and Pavel Cheremushkin Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit a5d849b149ca67ced2d271dc84db0bc95a548abb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=39c729c375a67eb87d420e2079a003af6f0c7bf2 --- libavformat/avidec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index ebb21bd937..65193289c4 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1088,6 +1088,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) if (!sub_demuxer) goto error; +if (strcmp(sub_demuxer->name, "srt") && strcmp(sub_demuxer->name, "ass")) +goto error; + if (!(ast->sub_ctx = avformat_alloc_context())) goto error; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer | Wed May 31 13:21:58 2017 +0200| [2a55e8bda94375e2d61236c618e2a119b21217b2] | committer: Michael Niedermayer avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' Fixes: 1903/clusterfuzz-testcase-minimized-5359318167715840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58f8cd4ac576028ef492a005bd06b1f22c3a6879) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2a55e8bda94375e2d61236c618e2a119b21217b2 --- libavcodec/cavsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 4d1b77187b..cd4eec9caf 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -615,7 +615,7 @@ static inline int decode_residual_inter(AVSContext *h) /* get quantizer */ if (h->cbp && !h->qp_fixed) -h->qp = (h->qp + get_se_golomb(&h->gb)) & 63; +h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63; for (block = 0; block < 4; block++) if (h->cbp & (1 << block)) decode_residual_block(h, &h->gb, inter_dec, 0, h->qp, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/pnm: Use ff_set_dimensions()
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Wed May 31 13:39:45 2017 +0200| [4911902c6f312bd060e2b7d4158a84f0aa7b1db9] |
committer: Michael Niedermayer
avcodec/pnm: Use ff_set_dimensions()
Fixes: OOM
Fixes: 1906/clusterfuzz-testcase-minimized-4599315114754048
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit a1c0d1d906d27d3f9e1b058bb065f897f90c1c7c)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4911902c6f312bd060e2b7d4158a84f0aa7b1db9
---
libavcodec/pnm.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c
index 1675959fbf..8b4a4ac292 100644
--- a/libavcodec/pnm.c
+++ b/libavcodec/pnm.c
@@ -24,6 +24,7 @@
#include "libavutil/imgutils.h"
#include "avcodec.h"
+#include "internal.h"
#include "pnm.h"
static inline int pnm_space(int c)
@@ -61,6 +62,7 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext *
const s)
{
char buf1[32], tuple_type[32];
int h, w, depth, maxval;
+int ret;
pnm_get(s, buf1, sizeof(buf1));
if(buf1[0] != 'P')
@@ -110,8 +112,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext
* const s)
if (w <= 0 || h <= 0 || maxval <= 0 || depth <= 0 || tuple_type[0] ==
'\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >=
s->bytestream_end)
return AVERROR_INVALIDDATA;
-avctx->width = w;
-avctx->height = h;
+ret = ff_set_dimensions(avctx, w, h);
+if (ret < 0)
+return ret;
s->maxval = maxval;
if (depth == 1) {
if (maxval == 1) {
@@ -153,8 +156,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext
* const s)
if(w <= 0 || h <= 0 || av_image_check_size(w, h, 0, avctx) ||
s->bytestream >= s->bytestream_end)
return AVERROR_INVALIDDATA;
-avctx->width = w;
-avctx->height = h;
+ret = ff_set_dimensions(avctx, w, h);
+if (ret < 0)
+return ret;
if (avctx->pix_fmt != AV_PIX_FMT_MONOWHITE && avctx->pix_fmt !=
AV_PIX_FMT_MONOBLACK) {
pnm_get(s, buf1, sizeof(buf1));
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer | Wed May 31 22:02:07 2017 +0200| [317690375e78904e8bd11f4c0f46d8ddf29a8b65] | committer: Michael Niedermayer avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' Fixes: 1909/clusterfuzz-testcase-minimized-6732072662073344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6726328f7940a76c43b4d97ac37ababf363d042f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=317690375e78904e8bd11f4c0f46d8ddf29a8b65 --- libavcodec/hevc_ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 83f2ec2bac..895046722f 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -738,7 +738,7 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi ff_hevc_diag_scan8x8_x[i]; scaling_list_delta_coef = get_se_golomb(gb); -next_coef = (next_coef + scaling_list_delta_coef + 256) % 256; +next_coef = (next_coef + 256U + scaling_list_delta_coef) % 256; sl->sl[size_id][matrix_id][pos] = next_coef; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Wed May 31 15:52:56 2017 +0200| [6ad05cbad1de2bbdaaeb34fd66931c485ef3e8a5] |
committer: Michael Niedermayer
avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138
cannot be represented in type 'int'
Fixes: 1908/clusterfuzz-testcase-minimized-5392712477966336
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 08cb69e870c1b2fdc3574780a3662b92bfd6ef79)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ad05cbad1de2bbdaaeb34fd66931c485ef3e8a5
---
libavcodec/ra144.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c
index c869824e35..2ed7361e38 100644
--- a/libavcodec/ra144.c
+++ b/libavcodec/ra144.c
@@ -1512,7 +1512,7 @@ static void add_wav(int16_t *dest, int n, int skip_first,
int *m,
v[0] = 0;
for (i=!skip_first; i<3; i++)
-v[i] = (ff_gain_val_tab[n][i] * m[i]) >> ff_gain_exp_tab[n];
+v[i] = (ff_gain_val_tab[n][i] * (unsigned)m[i]) >> ff_gain_exp_tab[n];
if (v[0]) {
for (i=0; i < BLOCKSIZE; i++)
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cinepak: Check input packet size before frame reallocation
ffmpeg | branch: release/3.1 | Michael Niedermayer | Wed May 31 22:18:23 2017 +0200| [89b2e25e138d3cf7e1651ded171c9c7cbfff00ad] | committer: Michael Niedermayer avcodec/cinepak: Check input packet size before frame reallocation Reduces time spend decoding 1917/clusterfuzz-testcase-minimized-5023221273329664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e47057e932ff9a071d52fa1d5d4a956340eb2475) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=89b2e25e138d3cf7e1651ded171c9c7cbfff00ad --- libavcodec/cinepak.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 737462bd9c..4b12fcbca6 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -322,9 +322,6 @@ static int cinepak_decode (CinepakContext *s) int y0 = 0; int encoded_buf_size; -if (s->size < 10) -return AVERROR_INVALIDDATA; - frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -439,6 +436,9 @@ static int cinepak_decode_frame(AVCodecContext *avctx, s->data = buf; s->size = buf_size; +if (s->size < 10) +return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun Jun 4 13:02:51 2017 +0200| [80d39a5bb34dff46de36c243cf4394a8508d9377] |
committer: Michael Niedermayer
avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot
be represented in type 'int'
Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 136ce8baa4fc16cf38690cb457f7356c00e00a28)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=80d39a5bb34dff46de36c243cf4394a8508d9377
---
libavcodec/ac3dec_fixed.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c
index 6416da436e..c5b1d50a13 100644
--- a/libavcodec/ac3dec_fixed.c
+++ b/libavcodec/ac3dec_fixed.c
@@ -69,7 +69,7 @@ static void scale_coefs (
int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7;
mul = (dynrng & 0x1f) + 0x20;
-shift = 4 - ((dynrng << 23) >> 28);
+shift = 4 - (sign_extend(dynrng, 9) >> 5);
if (shift > 0 ) {
round = 1 << (shift-1);
for (i=0; ihttp://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int')
ffmpeg | branch: release/3.1 | Michael Niedermayer | Fri Jun 2 22:31:02 2017 +0200| [cc6eec316e2a49c255f068821c6de497b2e3f1c1] | committer: Michael Niedermayer avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int') Fixes: 2005/clusterfuzz-testcase-minimized-5744226438479872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9faf098163b33e7b0f5baafa3371ef5401f4105d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc6eec316e2a49c255f068821c6de497b2e3f1c1 --- libavcodec/aacps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 48b595adbd..01f6d1f076 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -942,7 +942,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r) int stop = ps->border_position[e+1]; INTFLOAT width = Q30(1.f) / ((stop - start) ? (stop - start) : 1); #if USE_FIXED -width <<= 1; +width = FFMIN(2U*width, INT_MAX); #endif b = k_to_i[k]; h[0][0] = H11[0][e][b]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Wed May 31 22:53:02 2017 +0200| [4007ba9833cb0725124f22147ca0523857ff5982] |
committer: Michael Niedermayer
avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 -
-134217694 cannot be represented in type 'int'
Fixes: 1922/clusterfuzz-testcase-minimized-5561194112876544
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit a47273c803edfbc43793349b74429ae29b05c003)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4007ba9833cb0725124f22147ca0523857ff5982
---
libavcodec/wavpack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 3bc345e797..9ce074d975 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -239,7 +239,7 @@ static int wv_get_value(WavpackFrameContext *ctx,
GetBitContext *gb,
if (get_bits_left(gb) <= 0)
goto error;
if (get_bits1(gb)) {
-add -= (mid - base);
+add -= (mid - (unsigned)base);
base = mid;
} else
add = mid - base - 1;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun Jun 4 13:38:02 2017 +0200| [e04d3aadc01f905a774c143073bb38683ce93161] |
committer: Michael Niedermayer
avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()
Fixes 1745/clusterfuzz-testcase-minimized-6160693365571584
Fixes: Timeout
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit faa5a2181df53b5226f998a20b735798addcd365)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e04d3aadc01f905a774c143073bb38683ce93161
---
libavcodec/pafvideo.c | 15 +++
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c
index cab3129f8f..1618a3e7c3 100644
--- a/libavcodec/pafvideo.c
+++ b/libavcodec/pafvideo.c
@@ -267,12 +267,20 @@ static int paf_video_decode(AVCodecContext *avctx, void
*data,
uint8_t code, *dst, *end;
int i, frame, ret;
-if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
-return ret;
+if (pkt->size < 2)
+return AVERROR_INVALIDDATA;
bytestream2_init(&c->gb, pkt->data, pkt->size);
code = bytestream2_get_byte(&c->gb);
+if ((code & 0xF) > 4) {
+avpriv_request_sample(avctx, "unknown/invalid code");
+return AVERROR_INVALIDDATA;
+}
+
+if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
+return ret;
+
if (code & 0x20) { // frame is keyframe
for (i = 0; i < 4; i++)
memset(c->frame[i], 0, c->frame_size);
@@ -367,8 +375,7 @@ static int paf_video_decode(AVCodecContext *avctx, void
*data,
}
break;
default:
-avpriv_request_sample(avctx, "unknown/invalid code");
-return AVERROR_INVALIDDATA;
+av_assert0(0);
}
av_image_copy_plane(c->pic->data[0], c->pic->linesize[0],
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/options: log filename on open
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Fri Jun 2 14:47:16 2017 +0200| [6af15d2d896dc4a909a1d80d70d227f96730f3a2] |
committer: Michael Niedermayer
avformat/options: log filename on open
The loglevel is choosen so that the main filename and any images of
multi image sequences are shown only at debug level to avoid
clutter.
This makes exploits in playlists more visible. As they would show
accesses to private/sensitive files
Signed-off-by: Michael Niedermayer
(cherry picked from commit 53e0d5d7247548743e13c59c35e59fc2161e9582)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6af15d2d896dc4a909a1d80d70d227f96730f3a2
---
libavformat/options.c | 12
libavformat/utils.c | 2 +-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/libavformat/options.c b/libavformat/options.c
index 04d9c454d3..8fbc0d445e 100644
--- a/libavformat/options.c
+++ b/libavformat/options.c
@@ -102,6 +102,18 @@ static const AVClass av_format_context_class = {
static int io_open_default(AVFormatContext *s, AVIOContext **pb,
const char *url, int flags, AVDictionary **options)
{
+int loglevel;
+
+if (!strcmp(url, s->filename) ||
+s->iformat && !strcmp(s->iformat->name, "image2") ||
+s->oformat && !strcmp(s->oformat->name, "image2")
+) {
+loglevel = AV_LOG_DEBUG;
+} else
+loglevel = AV_LOG_INFO;
+
+av_log(s, loglevel, "Opening \'%s\' for %s\n", url, flags &
AVIO_FLAG_WRITE ? "writing" : "reading");
+
#if FF_API_OLD_OPEN_CALLBACKS
FF_DISABLE_DEPRECATION_WARNINGS
if (s->open_cb)
diff --git a/libavformat/utils.c b/libavformat/utils.c
index d71aca851b..46dc5109d1 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -497,6 +497,7 @@ int avformat_open_input(AVFormatContext **ps, const char
*filename,
if ((ret = av_opt_set_dict(s, &tmp)) < 0)
goto fail;
+av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename));
if ((ret = init_input(s, filename, &tmp)) < 0)
goto fail;
s->probe_score = ret;
@@ -534,7 +535,6 @@ int avformat_open_input(AVFormatContext **ps, const char
*filename,
}
s->duration = s->start_time = AV_NOPTS_VALUE;
-av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename));
/* Allocate private data. */
if (s->iformat->priv_data_size > 0) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Thu Jun 1 18:48:37 2017 +0200| [3ecefcabe076578b8e31217043af578cfac0a682] |
committer: Michael Niedermayer
avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit
type 'int'
Fixes: 1967/clusterfuzz-testcase-minimized-5757031199801344
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 8b3e580b7f436206e84dac89415e057fa9abdab8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3ecefcabe076578b8e31217043af578cfac0a682
---
libavcodec/wavpack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 9ce074d975..e55cd82595 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -184,7 +184,7 @@ static int wv_get_value(WavpackFrameContext *ctx,
GetBitContext *gb,
goto error;
t += t2;
} else {
-if (get_bits_left(gb) < t2 - 1)
+if (t2 >= 32 || get_bits_left(gb) < t2 - 1)
goto error;
t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1));
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun Jun 4 17:06:27 2017 +0200| [278b8d18ad297b0841a22f9f6aca5efe0c33eb6f] |
committer: Michael Niedermayer
avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t
[32]'
Fixes: 2010/clusterfuzz-testcase-minimized-6209288450080768
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 29808fff339da3e0f26131f7a6209b853947a54b)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=278b8d18ad297b0841a22f9f6aca5efe0c33eb6f
---
libavcodec/hevc_ps.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 895046722f..4b2a6244ee 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -169,6 +169,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb,
AVCodecContext *avctx,
}
}
+if (k >= FF_ARRAY_ELEMS(rps->used)) {
+av_log(avctx, AV_LOG_ERROR,
+ "Invalid num_delta_pocs: %d\n", k);
+return AVERROR_INVALIDDATA;
+}
+
rps->num_delta_pocs= k;
rps->num_negative_pics = k0;
// sort in increasing order (smallest first)
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/qdrw: Fix null pointer dereference
ffmpeg | branch: release/3.1 | Michael Niedermayer | Sun Jun 4 21:37:47 2017 +0200| [6f49b9a6881349601e6ab41a2eaedadc90dbb02d] | committer: Michael Niedermayer avcodec/qdrw: Fix null pointer dereference The RGB555 PACKBITSRGN case tries to read a palette, if such palette is actually stored then it accesses a null pointer. All 16bit samples i could find use DIRECTBITSRGN. Fixes: 2065/clusterfuzz-testcase-minimized-6298930457346048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 46b865ea9f86cbd12e1bf701913263c7932cccb0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6f49b9a6881349601e6ab41a2eaedadc90dbb02d --- libavcodec/qdrw.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 828cfea3fd..2cf18869e1 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -55,6 +55,8 @@ static int parse_palette(AVCodecContext *avctx, GetByteContext *gbc, bytestream2_skip(gbc, 6); continue; } +if (avctx->pix_fmt != AV_PIX_FMT_PAL8) +return AVERROR_INVALIDDATA; r = bytestream2_get_byte(gbc); bytestream2_skip(gbc, 1); g = bytestream2_get_byte(gbc); @@ -227,7 +229,9 @@ static int decode_frame(AVCodecContext *avctx, if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; -parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); +ret = parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); +if (ret < 0) +return ret; p->palette_has_changed = 1; /* jump to image data */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/tiff: Avoid loosing allocated geotag values
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Mon Jun 5 20:39:21 2017 +0200| [42b26b41a4e626fc9dbcb5e897a21729b2c85c87] |
committer: Michael Niedermayer
avcodec/tiff: Avoid loosing allocated geotag values
Fixes memleak
Fixes: 2076/clusterfuzz-testcase-minimized-6542640243802112
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit d7cbeab4c1381f95ed0ebf85d7950bee96f66164)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=42b26b41a4e626fc9dbcb5e897a21729b2c85c87
---
libavcodec/tiff.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index dac406862d..c46f771565 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1122,6 +1122,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
bytestream2_seek(&s->gb, pos + s->geotags[i].offset,
SEEK_SET);
if (bytestream2_get_bytes_left(&s->gb) <
s->geotags[i].count)
return AVERROR_INVALIDDATA;
+if (s->geotags[i].val)
+return AVERROR_INVALIDDATA;
ap = av_malloc(s->geotags[i].count);
if (!ap) {
av_log(s->avctx, AV_LOG_ERROR, "Error allocating
temporary buffer\n");
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/softfloat: Fix sign error in and improve documentation of av_int2sf()
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun Jun 4 20:45:09 2017 +0200| [1f4da7c38460e42e43a22d461b74d6f7dfcb4d8c] |
committer: Michael Niedermayer
avutil/softfloat: Fix sign error in and improve documentation of av_int2sf()
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6019d721d4c10bf73018d68511d9d0a914c0a389)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1f4da7c38460e42e43a22d461b74d6f7dfcb4d8c
---
libavutil/softfloat.h | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h
index daf91a5557..c50aaf5285 100644
--- a/libavutil/softfloat.h
+++ b/libavutil/softfloat.h
@@ -177,8 +177,10 @@ static inline av_const SoftFloat av_sub_sf(SoftFloat a,
SoftFloat b){
//FIXME log, exp, pow
/**
- * Converts a mantisse and exponent to a SoftFloat
- * @returns a SoftFloat with value v * 2^frac_bits
+ * Converts a mantisse and exponent to a SoftFloat.
+ * This converts a fixed point value v with frac_bits fractional bits to a
+ * SoftFloat.
+ * @returns a SoftFloat with value v * 2^-frac_bits
*/
static inline av_const SoftFloat av_int2sf(int v, int frac_bits){
int exp_offset = 0;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/hls: Check local file extensions
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sat Jun 3 21:20:04 2017 +0200| [e0a3b8670d27863bfe6175b383918a5516a6bc42] |
committer: Michael Niedermayer
avformat/hls: Check local file extensions
This reduces the attack surface of local file-system
information leaking.
It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.
Leaks of information from files and symlinks ending in common multimedia
extensions
are still possible. But files with sensitive information like private keys and
passwords
generally do not use common multimedia filename extensions.
It does not stop leaks via remote addresses in the LAN.
The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.
Developers have expressed their dislike / objected to disabling hls by default
as well
as disabling hls with local files. There also where objections against
restricting
remote url file extensions. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.
limiting the check to local files was suggested by nevcairiel
This recommits the security fix without the author name joke which was
originally requested by Nicolas.
Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu
Signed-off-by: Michael Niedermayer
(cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e0a3b8670d27863bfe6175b383918a5516a6bc42
---
libavformat/hls.c | 18 +-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/libavformat/hls.c b/libavformat/hls.c
index 72415320d4..3b89ae5a7c 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -203,6 +203,7 @@ typedef struct HLSContext {
char *http_proxy;///< holds the address of the HTTP
proxy server
AVDictionary *avio_opts;
int strict_std_compliance;
+char *allowed_extensions;
} HLSContext;
static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
@@ -617,8 +618,19 @@ static int open_url(AVFormatContext *s, AVIOContext **pb,
const char *url,
return AVERROR_INVALIDDATA;
// only http(s) & file are allowed
-if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name,
"file", NULL))
+if (av_strstart(proto_name, "file", NULL)) {
+if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url,
c->allowed_extensions)) {
+av_log(s, AV_LOG_ERROR,
+"Filename extension of \'%s\' is not a common multimedia
extension, blocked for security reasons.\n"
+"If you wish to override this adjust allowed_extensions, you
can set it to \'ALL\' to allow all\n",
+url);
+return AVERROR_INVALIDDATA;
+}
+} else if (av_strstart(proto_name, "http", NULL)) {
+;
+} else
return AVERROR_INVALIDDATA;
+
if (!strncmp(proto_name, url, strlen(proto_name)) &&
url[strlen(proto_name)] == ':')
;
else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7,
strlen(proto_name)) && url[7 + strlen(proto_name)] == ':')
@@ -2046,6 +2058,10 @@ static int hls_probe(AVProbeData *p)
static const AVOption hls_options[] = {
{"live_start_index", "segment index to start live streams at (negative
values are from the end)",
OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN,
INT_MAX, FLAGS},
+{"allowed_extensions", "List of file extensions that hls is allowed to
access",
+OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
+{.str =
"3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
+INT_MIN, INT_MAX, FLAGS},
{NULL}
};
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dxv: Check remaining bytes in dxv_decompress_raw()
ffmpeg | branch: release/3.1 | Michael Niedermayer | Sun Jun 4 15:41:18 2017 +0200| [0ad5a36b8b7a08c24dca4f1505922aa1efc8c117] | committer: Michael Niedermayer avcodec/dxv: Check remaining bytes in dxv_decompress_raw() Fixes: Timeout Fixes: 2006/clusterfuzz-testcase-minimized-5766515037044736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb5049227033d946add93c0714bb8a28d94166f1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0ad5a36b8b7a08c24dca4f1505922aa1efc8c117 --- libavcodec/dxv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 05a9aadd24..f194b134b5 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -331,6 +331,9 @@ static int dxv_decompress_raw(AVCodecContext *avctx) DXVContext *ctx = avctx->priv_data; GetByteContext *gbc = &ctx->gbc; +if (bytestream2_get_bytes_left(gbc) < ctx->tex_size) +return AVERROR_INVALIDDATA; + bytestream2_get_buffer(gbc, ctx->tex_data, ctx->tex_size); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Check that reference frame matches the current frame
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Mon Jun 5 22:23:15 2017 +0200| [79f0677332c3ca619b6bd192df13106a6235378e] |
committer: Michael Niedermayer
avcodec/mjpegdec: Check that reference frame matches the current frame
Fixes: out of array read
Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 4705edbbb96e193f51c72248f508ae5693702a48)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79f0677332c3ca619b6bd192df13106a6235378e
---
libavcodec/mjpegdec.c | 9 +
1 file changed, 9 insertions(+)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index ba0e714f2b..32b6b3b84d 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1475,6 +1475,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const
uint8_t *mb_bitmask,
return -1;
}
+if (reference) {
+if (reference->width != s->picture_ptr->width ||
+reference->height != s->picture_ptr->height ||
+reference->format != s->picture_ptr->format) {
+av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n");
+return AVERROR_INVALIDDATA;
+}
+}
+
av_assert0(s->picture_ptr->data[0]);
/* XXX: verify len field validity */
len = get_bits(&s->gb, 16);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Mon Jun 5 19:33:56 2017 +0200| [bcf63142d1596095d3ae72bd8a8807bc77f500b2] |
committer: Michael Niedermayer
avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256
cannot be represented in type 'int'
Fixes: 2067/clusterfuzz-testcase-minimized-5578430902960128
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 1e6ee86d9254e8fd2158cc9a31d3be96b0809411)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bcf63142d1596095d3ae72bd8a8807bc77f500b2
---
libavcodec/cavs.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c
index 8542b124ef..c1b280b344 100644
--- a/libavcodec/cavs.c
+++ b/libavcodec/cavs.c
@@ -537,8 +537,7 @@ void ff_cavs_inter(AVSContext *h, enum cavs_mb mb_type)
static inline void scale_mv(AVSContext *h, int *d_x, int *d_y,
cavs_vector *src, int distp)
{
-int den = h->scale_den[FFMAX(src->ref, 0)];
-
+int64_t den = h->scale_den[FFMAX(src->ref, 0)];
*d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9;
*d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Tue Jun 6 16:01:16 2017 +0200| [e8aa646e4a23a77a7b47ff6c563092a95c1c258a] |
committer: Michael Niedermayer
avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 *
4096 cannot be represented in type 'int'
Fixes: 2079/clusterfuzz-testcase-minimized-5345861779324928
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit e4efd41b83e78c7f2ee3e74bee90226110743a8e)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e8aa646e4a23a77a7b47ff6c563092a95c1c258a
---
libavcodec/takdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c
index a05b50ac5c..66983d67c9 100644
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -860,7 +860,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void
*data,
if (s->sample_shift[chan] > 0)
for (i = 0; i < s->nb_samples; i++)
-decoded[i] *= 1 << s->sample_shift[chan];
+decoded[i] *= 1U << s->sample_shift[chan];
}
}
@@ -902,7 +902,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void
*data,
for (chan = 0; chan < avctx->channels; chan++) {
int32_t *samples = (int32_t *)frame->extended_data[chan];
for (i = 0; i < s->nb_samples; i++)
-samples[i] *= 1 << 8;
+samples[i] *= 1U << 8;
}
break;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/indeo4: Check remaining data in Pic hdr extension parsing code
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Thu Jun 8 13:58:47 2017 +0200| [26afadbd29359dea996d7fb2fd647bf9cbb59584] |
committer: Michael Niedermayer
avcodec/indeo4: Check remaining data in Pic hdr extension parsing code
Fixes: Timeout
Fixes: 2115/clusterfuzz-testcase-minimized-6594111748440064
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit a3b5b60bdf451faefeeec07c4e684a251968bf2d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=26afadbd29359dea996d7fb2fd647bf9cbb59584
---
libavcodec/indeo4.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c
index 69f78c90b2..53bb5a239c 100644
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -237,6 +237,8 @@ static int decode_pic_hdr(IVI45DecContext *ctx,
AVCodecContext *avctx)
/* skip picture header extension if any */
while (get_bits1(&ctx->gb)) {
ff_dlog(avctx, "Pic hdr extension encountered!\n");
+if (get_bits_left(&ctx->gb) < 10)
+return AVERROR_INVALIDDATA;
skip_bits(&ctx->gb, 8);
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Thu Jun 8 13:44:32 2017 +0200| [cd16f4cf4b08d46b1284768522be4b71ae6fc71e] |
committer: Michael Niedermayer
avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow:
-39271008 * 59 cannot be represented in type 'int'
Fixes: 2113/clusterfuzz-testcase-minimized-6510704959946752
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 4e3ab1a5c12fe3a88f44b734d3f2e25f4769ec47)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd16f4cf4b08d46b1284768522be4b71ae6fc71e
---
libavcodec/ac3dec_fixed.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c
index c5b1d50a13..56b62548ec 100644
--- a/libavcodec/ac3dec_fixed.c
+++ b/libavcodec/ac3dec_fixed.c
@@ -65,7 +65,7 @@ static void scale_coefs (
int len)
{
int i, shift, round;
-int16_t mul;
+unsigned mul;
int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7;
mul = (dynrng & 0x1f) + 0x20;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Tue Jun 6 16:28:57 2017 +0200| [faa104541d36fa081cc56eeb8eb679e956fad54d] |
committer: Michael Niedermayer
avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 *
40448 cannot be represented in type 'int'
Fixes: 2106/clusterfuzz-testcase-minimized-6136503639998464
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 18bca25adbae9d010d75f9fc197c0af656af758d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=faa104541d36fa081cc56eeb8eb679e956fad54d
---
libavcodec/mpeg4videodec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 52ec688ce8..0da925c4f8 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2333,7 +2333,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx,
GetBitContext *gb)
if (s->pict_type != AV_PICTURE_TYPE_B) {
s->last_time_base = s->time_base;
s->time_base += time_incr;
-s->time = s->time_base * s->avctx->framerate.num + time_increment;
+s->time = s->time_base * (int64_t)s->avctx->framerate.num +
time_increment;
if (s->workaround_bugs & FF_BUG_UMP4) {
if (s->time < s->last_non_b_time) {
/* header is not mpeg-4-compatible, broken encoder,
@@ -2345,7 +2345,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx,
GetBitContext *gb)
s->pp_time = s->time - s->last_non_b_time;
s->last_non_b_time = s->time;
} else {
-s->time= (s->last_time_base + time_incr) * s->avctx->framerate.num
+ time_increment;
+s->time= (s->last_time_base + time_incr) *
(int64_t)s->avctx->framerate.num + time_increment;
s->pb_time = s->pp_time - (s->last_non_b_time - s->time);
if (s->pp_time <= s->pb_time ||
s->pp_time <= s->pp_time - s->pb_time ||
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/pafvideo: Fix assertion failure
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Tue Jun 6 16:21:37 2017 +0200| [fb1d3fb1e5afacafff805a0e948c5cd3a4290ba5] |
committer: Michael Niedermayer
avcodec/pafvideo: Fix assertion failure
Fixes: 2100/clusterfuzz-testcase-minimized-4522961547558912
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit c4360559ee2a6c8c624f24fc7e2a1cf00972ba68)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fb1d3fb1e5afacafff805a0e948c5cd3a4290ba5
---
libavcodec/pafvideo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c
index 1618a3e7c3..91bfe16376 100644
--- a/libavcodec/pafvideo.c
+++ b/libavcodec/pafvideo.c
@@ -273,7 +273,7 @@ static int paf_video_decode(AVCodecContext *avctx, void
*data,
bytestream2_init(&c->gb, pkt->data, pkt->size);
code = bytestream2_get_byte(&c->gb);
-if ((code & 0xF) > 4) {
+if ((code & 0xF) > 4 || (code & 0xF) == 3) {
avpriv_request_sample(avctx, "unknown/invalid code");
return AVERROR_INVALIDDATA;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun Jun 11 14:32:35 2017 +0200| [7927112377b5f1be313e69fb05b74898ba194b4a] |
committer: Michael Niedermayer
avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616
Fixes: 2195/clusterfuzz-testcase-minimized-4736721533009920
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6d499ecef9c2467772b6066176ffda0b7ab27cc2)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7927112377b5f1be313e69fb05b74898ba194b4a
---
libavcodec/aacdec_fixed.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index 7945c46355..4506001619 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -389,7 +389,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
for (k = offsets[i]; k < offsets[i + 1]; k++) {
tmp = (int)(((int64_t)src[group * 128 + k] * c + \
(int64_t)0x10) >> 37);
-dest[group * 128 + k] += tmp << shift;
+dest[group * 128 + k] += tmp * (1 << shift);
}
}
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Fix runtime error: left shift of negative value -1
ffmpeg | branch: release/3.1 | Michael Niedermayer | Sun Jun 11 14:34:54 2017 +0200| [afc6d2242cbc29bd027283aa0e003357d867c1e0] | committer: Michael Niedermayer avcodec/snowdec: Fix runtime error: left shift of negative value -1 Fixes: 2197/clusterfuzz-testcase-minimized-6010716676947968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2e44126363bc9e23093ceced5d7bde1ee4bbb338) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=afc6d2242cbc29bd027283aa0e003357d867c1e0 --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 022e9693c7..7d6d7ff44f 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -586,7 +586,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for(; yqsb, yq); for(x=0; xhttp://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun Jun 11 20:19:59 2017 +0200| [562690a7f73e371ffe2532f23e90b664c9380619] |
committer: Michael Niedermayer
avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 +
277872640 cannot be represented in type 'int'
Fixes: 2181/clusterfuzz-testcase-minimized-6314784322486272
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit c996374d4d86e0efbef71812448b4c65656bc667)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=562690a7f73e371ffe2532f23e90b664c9380619
---
libavcodec/wavpack.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h
index a1b46d5bd7..c71006112a 100644
--- a/libavcodec/wavpack.h
+++ b/libavcodec/wavpack.h
@@ -94,7 +94,7 @@ typedef struct Decorr {
typedef struct WvChannel {
int median[3];
int slow_level, error_limit;
-int bitrate_acc, bitrate_delta;
+unsigned bitrate_acc, bitrate_delta;
} WvChannel;
// macros for manipulating median values
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sat Jun 10 19:43:25 2017 +0200| [4f2aaccff0ecc3a0b5f3c1791c7bb5837ae3f602] |
committer: Michael Niedermayer
avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296
cannot be represented in type 'int'
Fixes: 2174/clusterfuzz-testcase-minimized-5739234533048320
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 90e8317b3b33dcb54ae01e419d85cbbfbd874963)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4f2aaccff0ecc3a0b5f3c1791c7bb5837ae3f602
---
libavcodec/flicvideo.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
index 192d4fe8a7..157f0c31a7 100644
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -275,10 +275,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
while (compressed_lines > 0) {
if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk)
break;
+if (y_ptr > pixel_limit)
+return AVERROR_INVALIDDATA;
line_packets = bytestream2_get_le16(&g2);
if ((line_packets & 0xC000) == 0xC000) {
// line skip opcode
line_packets = -line_packets;
+if (line_packets > s->avctx->height)
+return AVERROR_INVALIDDATA;
y_ptr += line_packets * s->frame->linesize[0];
} else if ((line_packets & 0xC000) == 0x4000) {
av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in
DELTA_FLI\n", line_packets);
@@ -327,6 +331,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
case FLI_LC:
/* line compressed */
starting_line = bytestream2_get_le16(&g2);
+if (starting_line >= s->avctx->height)
+return AVERROR_INVALIDDATA;
y_ptr = 0;
y_ptr += starting_line * s->frame->linesize[0];
@@ -563,9 +569,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext
*avctx,
while (compressed_lines > 0) {
if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk)
break;
+if (y_ptr > pixel_limit)
+return AVERROR_INVALIDDATA;
line_packets = bytestream2_get_le16(&g2);
if (line_packets < 0) {
line_packets = -line_packets;
+if (line_packets > s->avctx->height)
+return AVERROR_INVALIDDATA;
y_ptr += line_packets * s->frame->linesize[0];
} else {
compressed_lines--;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cfhd: Check band parameters before storing them
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sat Jun 10 18:45:08 2017 +0200| [f263c4687f60c489d7086bbd4a58d1bb279fde80] |
committer: Michael Niedermayer
avcodec/cfhd: Check band parameters before storing them
Fixes out of array read
Fixes: 2169/clusterfuzz-testcase-minimized-5688641642823680
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 54aaadf648073149f1ac34f56cbde4e6c5aa22ef)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f263c4687f60c489d7086bbd4a58d1bb279fde80
---
libavcodec/cfhd.c | 18 +-
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index dfc9ace792..9473473f2d 100644
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -317,22 +317,22 @@ static int cfhd_decode(AVCodecContext *avctx, void *data,
int *got_frame,
s->prescale_shift[2] = (data >> 6) & 0x7;
av_log(avctx, AV_LOG_DEBUG, "Prescale shift (VC-5): %x\n", data);
} else if (tag == 27) {
-s->plane[s->channel_num].band[0][0].width = data;
-s->plane[s->channel_num].band[0][0].stride = data;
av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data);
if (data < 3 || data >
s->plane[s->channel_num].band[0][0].a_width) {
av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n");
ret = AVERROR(EINVAL);
break;
}
+s->plane[s->channel_num].band[0][0].width = data;
+s->plane[s->channel_num].band[0][0].stride = data;
} else if (tag == 28) {
-s->plane[s->channel_num].band[0][0].height = data;
av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data);
if (data < 3 || data > s->plane[s->channel_num].band[0][0].height)
{
av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n");
ret = AVERROR(EINVAL);
break;
}
+s->plane[s->channel_num].band[0][0].height = data;
} else if (tag == 1)
av_log(avctx, AV_LOG_DEBUG, "Sample type? %"PRIu16"\n", data);
else if (tag == 10) {
@@ -363,39 +363,39 @@ static int cfhd_decode(AVCodecContext *avctx, void *data,
int *got_frame,
av_log(avctx, AV_LOG_DEBUG, "Tag/Value = %x %x\n", tag2, val2);
}
} else if (tag == 41) {
-s->plane[s->channel_num].band[s->level][s->subband_num].width =
data;
-s->plane[s->channel_num].band[s->level][s->subband_num].stride =
FFALIGN(data, 8);
av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i
subband %i\n", data, s->channel_num, s->level, s->subband_num);
if (data < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n");
ret = AVERROR(EINVAL);
break;
}
+s->plane[s->channel_num].band[s->level][s->subband_num].width =
data;
+s->plane[s->channel_num].band[s->level][s->subband_num].stride =
FFALIGN(data, 8);
} else if (tag == 42) {
-s->plane[s->channel_num].band[s->level][s->subband_num].height =
data;
av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data);
if (data < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n");
ret = AVERROR(EINVAL);
break;
}
+s->plane[s->channel_num].band[s->level][s->subband_num].height =
data;
} else if (tag == 49) {
-s->plane[s->channel_num].band[s->level][s->subband_num].width =
data;
-s->plane[s->channel_num].band[s->level][s->subband_num].stride =
FFALIGN(data, 8);
av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data);
if (data < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n");
ret = AVERROR(EINVAL);
break;
}
+s->plane[s->channel_num].band[s->level][s->subband_num].width =
data;
+s->plane[s->channel_num].band[s->level][s->subband_num].stride =
FFALIGN(data, 8);
} else if (tag == 50) {
-s->plane[s->channel_num].band[s->level][s->subband_num].height =
data;
av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data);
if (data < 3) {
av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n");
ret = AVERROR(EINVAL);
break;
}
+s->plane[s->channel_num].band[s->level][s->subband_num].height =
data;
} else if (tag == 71) {
s->codebook = data;
av_log(avctx, AV_LOG_DEBUG, "Codebook %i\n", s->codebook);
[FFmpeg-cvslog] avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int'
ffmpeg | branch: release/3.1 | Michael Niedermayer | Sun Jun 11 00:45:20 2017 +0200| [9f5ada68805113d96b26ec0eee7748714a7910d4] | committer: Michael Niedermayer avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' Fixes: 2175/clusterfuzz-testcase-minimized-5809657849315328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 71da0a5c9750e9fd0c9609470f610d32952923eb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9f5ada68805113d96b26ec0eee7748714a7910d4 --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 2ed7361e38..c077b7b327 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1601,7 +1601,7 @@ void ff_eval_coefs(int *coefs, const int *refl) b1[i] = refl[i] * 16; for (j=0; j < i; j++) -b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; +b1[j] = ((int)(refl[i] * (unsigned)b2[i-j-1]) >> 12) + b2[j]; FFSWAP(int *, b1, b2); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/tiff: Fix leak of geotags[].val
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun Jun 11 01:05:26 2017 +0200| [427ee58d613a6d8a011f237cf4e11ee7dbe63018] |
committer: Michael Niedermayer
avcodec/tiff: Fix leak of geotags[].val
Fixes: 2176/clusterfuzz-testcase-minimized-5908197216878592
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 22a25ab3896cbb8dceebdba4d439e8b2b398ff0e)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=427ee58d613a6d8a011f237cf4e11ee7dbe63018
---
libavcodec/tiff.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index c46f771565..d026a5bd98 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1096,6 +1096,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
if (s->geotags[i].count == 0
|| s->geotags[i].offset + s->geotags[i].count > count) {
av_log(s->avctx, AV_LOG_WARNING, "Invalid GeoTIFF key
%d\n", s->geotags[i].key);
+} else if (s->geotags[i].val) {
+av_log(s->avctx, AV_LOG_WARNING, "Duplicate GeoTIFF key
%d\n", s->geotags[i].key);
} else {
char *ap = doubles2str(&dp[s->geotags[i].offset],
s->geotags[i].count, ", ");
if (!ap) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are impossible
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Tue Jun 13 13:28:23 2017 +0200| [fc5bbdf2c5ab27d71a282b336383eb3d775d7037] |
committer: Michael Niedermayer
avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations
are impossible
Fixes: 1775/clusterfuzz-testcase-minimized-5330288148217856
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit d549f026d8b64b879c3ce3b8c7d153c82aa5eb52)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fc5bbdf2c5ab27d71a282b336383eb3d775d7037
---
libavcodec/sbrdsp_fixed.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c
index 924da83c85..f42708a8a7 100644
--- a/libavcodec/sbrdsp_fixed.c
+++ b/libavcodec/sbrdsp_fixed.c
@@ -242,7 +242,7 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int
(*X_high)[40][2],
}
}
-static av_always_inline void sbr_hf_apply_noise(int (*Y)[2],
+static av_always_inline int sbr_hf_apply_noise(int (*Y)[2],
const SoftFloat *s_m,
const SoftFloat *q_filt,
int noise,
@@ -260,7 +260,10 @@ static av_always_inline void sbr_hf_apply_noise(int
(*Y)[2],
int shift, round;
shift = 22 - s_m[m].exp;
-if (shift < 30) {
+if (shift < 1) {
+av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise,
shift=%d\n", shift);
+return AVERROR(ERANGE);
+} else if (shift < 30) {
round = 1 << (shift-1);
y0 += (s_m[m].mant * phi_sign0 + round) >> shift;
y1 += (s_m[m].mant * phi_sign1 + round) >> shift;
@@ -270,7 +273,10 @@ static av_always_inline void sbr_hf_apply_noise(int
(*Y)[2],
int64_t accu;
shift = 22 - q_filt[m].exp;
-if (shift < 30) {
+if (shift < 1) {
+av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise,
shift=%d\n", shift);
+return AVERROR(ERANGE);
+} else if (shift < 30) {
round = 1 << (shift-1);
accu = (int64_t)q_filt[m].mant *
ff_sbr_noise_table_fixed[noise][0];
@@ -286,6 +292,7 @@ static av_always_inline void sbr_hf_apply_noise(int (*Y)[2],
Y[m][1] = y1;
phi_sign1 = -phi_sign1;
}
+return 0;
}
#include "sbrdsp_template.c"
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Sun Jun 11 20:28:46 2017 +0200| [3a3c32ea1f81e3364bf693926e9c88ddde659f05] |
committer: Michael Niedermayer
avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123
Fixes: 2208/clusterfuzz-testcase-minimized-5976593765761024
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit d24043e1a2f93f206a2ad59054f24f45ff023e5c)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3a3c32ea1f81e3364bf693926e9c88ddde659f05
---
libavcodec/jpeg2000dwt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c
index 188cc261a4..735ed0b1dc 100644
--- a/libavcodec/jpeg2000dwt.c
+++ b/libavcodec/jpeg2000dwt.c
@@ -488,7 +488,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t)
line += 5;
for (i = 0; i < w * h; i++)
-data[i] <<= I_PRESHIFT;
+data[i] *= 1 << I_PRESHIFT;
for (lev = 0; lev < s->ndeclevels; lev++) {
int lh = s->linelen[lev][0],
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble()
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Tue Jun 13 16:25:59 2017 +0200| [fe3fcc551d710e0a7207322e02ba7974f0d1c293] |
committer: Michael Niedermayer
avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble()
Fixes: runtime error: shift exponent -10 is negative
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit d1992448d37f7cfa2acda5cc729dc0ff1b019390)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fe3fcc551d710e0a7207322e02ba7974f0d1c293
---
libavcodec/aacsbr_fixed.c | 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c
index 01f81afaaa..1f5ff410d1 100644
--- a/libavcodec/aacsbr_fixed.c
+++ b/libavcodec/aacsbr_fixed.c
@@ -575,22 +575,30 @@ static void sbr_hf_assemble(int Y1[38][64][2],
SoftFloat *in = sbr->s_m[e];
for (m = 0; m+1 < m_max; m+=2) {
+int shift2;
shift = 22 - in[m ].exp;
+shift2= 22 - in[m+1].exp;
+if (shift < 1 || shift2 < 1) {
+av_log(NULL, AV_LOG_ERROR, "Overflow in
sbr_hf_assemble, shift=%d,%d\n", shift, shift2);
+return;
+}
if (shift < 32) {
round = 1 << (shift-1);
out[2*m ] += (in[m ].mant * A + round) >> shift;
}
-shift = 22 - in[m+1].exp;
-if (shift < 32) {
-round = 1 << (shift-1);
-out[2*m+2] += (in[m+1].mant * B + round) >> shift;
+if (shift2 < 32) {
+round = 1 << (shift2-1);
+out[2*m+2] += (in[m+1].mant * B + round) >> shift2;
}
}
if(m_max&1)
{
shift = 22 - in[m ].exp;
-if (shift < 32) {
+if (shift < 1) {
+av_log(NULL, AV_LOG_ERROR, "Overflow in
sbr_hf_assemble, shift=%d\n", shift);
+return;
+} else if (shift < 32) {
round = 1 << (shift-1);
out[2*m ] += (in[m ].mant * A + round) >> shift;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevcdec: Check nb_sps
ffmpeg | branch: release/3.1 | Michael Niedermayer | Thu Jun 15 01:28:28 2017 +0200| [2d7e26277a7b0a349e8c789357924a6659a8eb5f] | committer: Michael Niedermayer avcodec/hevcdec: Check nb_sps Signed-off-by: Michael Niedermayer (cherry picked from commit bc406744620710911de9157eafa3e61d0246566f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2d7e26277a7b0a349e8c789357924a6659a8eb5f --- libavcodec/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index cb1263cb43..3389b7f5c7 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -246,6 +246,8 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) nb_sps = get_ue_golomb_long(gb); nb_sh = get_ue_golomb_long(gb); +if (nb_sps > sps->num_long_term_ref_pics_sps) +return AVERROR_INVALIDDATA; if (nb_sh + (uint64_t)nb_sps > FF_ARRAY_ELEMS(rps->poc)) return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2()
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Thu Jun 15 23:26:18 2017 +0200| [3e6b7d5802f1e218f2462628489e6ffba1024bed] |
committer: Michael Niedermayer
avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2()
Fixes: runtime error: negation of -2147483648 cannot be represented in type
'int'; cast to an unsigned type to negate this value to itself
Fixes: 2231/clusterfuzz-testcase-minimized-4565181982048256
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit e3fadc57c5c170f31455abacbcbd67115d7321d7)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3e6b7d5802f1e218f2462628489e6ffba1024bed
---
libavcodec/jpeg2000.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h
index 873e4505ec..8a022ad918 100644
--- a/libavcodec/jpeg2000.h
+++ b/libavcodec/jpeg2000.h
@@ -215,7 +215,7 @@ typedef struct Jpeg2000Component {
/* misc tools */
static inline int ff_jpeg2000_ceildivpow2(int a, int b)
{
-return -(((int64_t)(-a)) >> b);
+return -((-(int64_t)a) >> b);
}
static inline int ff_jpeg2000_ceildiv(int a, int b)
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case
ffmpeg | branch: release/3.1 | Michael Niedermayer | Wed Jun 14 23:49:23 2017 +0200| [c19fd272482ec0c74e53486e473b0b9b1b68184f] | committer: Michael Niedermayer avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case Fixes: runtime error: signed integer overflow: 131072 + 2147352576 cannot be represented in type 'int' Fixes: 2192/clusterfuzz-testcase-minimized-5370387988742144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a87be404ab7e3f47e67e79160dcc9623e36835b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c19fd272482ec0c74e53486e473b0b9b1b68184f --- libavcodec/mpeg4videodec.c | 40 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 0da925c4f8..96c5b7b6fd 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -284,26 +284,26 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: -sprite_offset[0][0]= (sprite_ref[0][0] * (1 << alpha + rho)) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][0]) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); -sprite_offset[0][1]= (sprite_ref[0][1] * (1 << alpha + rho)) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); -sprite_offset[1][0]= ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][0] + 1) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); -sprite_offset[1][1]= ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); +sprite_offset[0][0]= ((int64_t) sprite_ref[0][0] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-vop_ref[0][0]) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t)-vop_ref[0][1]) + (1 << (alpha + rho - 1)); +sprite_offset[0][1]= ((int64_t) sprite_ref[0][1] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t)-vop_ref[0][0]) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-vop_ref[0][1]) + (1 << (alpha + rho - 1)); +sprite_offset[1][0]= (((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 *vop_ref[0][0] + 1) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t)-2 *vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); +sprite_offset[1][1]= (((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t)-2 *vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 *vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Check sprite delta upshift against overflowing.
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Wed Jun 14 23:55:17 2017 +0200| [5d609474f3b5196f33204dc572cf4914d88cda2e] |
committer: Michael Niedermayer
avcodec/mpeg4videodec: Check sprite delta upshift against overflowing.
Fixes: runtime error: signed integer overflow: -268386304 * 16 cannot be
represented in type 'int'
Fixes: 2204/clusterfuzz-testcase-minimized-5616756909408256
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 12245ab1f677074b8ff83e87f76a41aba692ccd6)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5d609474f3b5196f33204dc572cf4914d88cda2e
---
libavcodec/mpeg4videodec.c | 18 ++
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 96c5b7b6fd..ba2d0a33df 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -361,14 +361,16 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext
*ctx, GetBitContext *g
int shift_y = 16 - ctx->sprite_shift[0];
int shift_c = 16 - ctx->sprite_shift[1];
-if (shift_c < 0 || shift_y < 0 ||
-FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y ||
-FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c ||
-FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y ||
-FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c
-) {
-avpriv_request_sample(s->avctx, "Too large sprite shift or
offset");
-goto overflow;
+for (i = 0; i < 2; i++) {
+if (shift_c < 0 || shift_y < 0 ||
+FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y ||
+FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c ||
+FFABS(s->sprite_delta[0][i]) >= INT_MAX >> shift_y ||
+FFABS(s->sprite_delta[1][i]) >= INT_MAX >> shift_y
+) {
+avpriv_request_sample(s->avctx, "Too large sprite shift, delta
or offset");
+goto overflow;
+}
}
for (i = 0; i < 2; i++) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Sanity check maxnlpc
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Fri Jun 9 02:16:54 2017 +0200| [37c77f74c277631463fe7e82e54bae5efdc48bee] |
committer: Michael Niedermayer
avcodec/shorten: Sanity check maxnlpc
Fixes OOM
Fixes: 2131/clusterfuzz-testcase-minimized-4718045157130240
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit e77ddd31a8e14bcf5eccd6008d866ae90b4b0d4c)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=37c77f74c277631463fe7e82e54bae5efdc48bee
---
libavcodec/shorten.c | 4
1 file changed, 4 insertions(+)
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 388d8dee78..a36a77210e 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -436,6 +436,10 @@ static int read_header(ShortenContext *s)
s->blocksize = blocksize;
maxnlpc = get_uint(s, LPCQSIZE);
+if (maxnlpc > 1024U) {
+av_log(s->avctx, AV_LOG_ERROR, "maxnlpc is: %d\n", maxnlpc);
+return AVERROR_INVALIDDATA;
+}
s->nmean = get_uint(s, 0);
skip_bytes = get_uint(s, NSKIPSIZE);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_refs: Check nb_refs in add_candidate_ref()
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Thu Jun 15 01:26:01 2017 +0200| [8d0c353b733bb36919b7c2ec7ae92d75d28196ed] |
committer: Michael Niedermayer
avcodec/hevc_refs: Check nb_refs in add_candidate_ref()
Fixes: runtime error: index 16 out of bounds for type 'int [16]'
Fixes: 2209/clusterfuzz-testcase-minimized-5012343912136704
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 1cb4ef526dd1e5f547d0354efb0831d07e967919)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8d0c353b733bb36919b7c2ec7ae92d75d28196ed
---
libavcodec/hevc_refs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c
index 611ad458de..df52e401ad 100644
--- a/libavcodec/hevc_refs.c
+++ b/libavcodec/hevc_refs.c
@@ -438,7 +438,7 @@ static int add_candidate_ref(HEVCContext *s, RefPicList
*list,
{
HEVCFrame *ref = find_ref_idx(s, poc);
-if (ref == s->ref)
+if (ref == s->ref || list->nb_refs >= MAX_REFS)
return AVERROR_INVALIDDATA;
if (!ref) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Check nonzerobits more completely
ffmpeg | branch: release/3.1 | Michael Niedermayer |
Fri Jun 16 19:57:08 2017 +0200| [d51d7b0971443f17d3ca598fd6d83ade6785f442] |
committer: Michael Niedermayer
avcodec/jpeg2000dec: Check nonzerobits more completely
Fixes: runtime error: shift exponent 36 is too large for 32-bit type 'int'
Fixes: 2239/clusterfuzz-testcase-minimized-5639766592716800
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit dfb61ea2630029b7aec7911aade769bf1a914eea)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d51d7b0971443f17d3ca598fd6d83ade6785f442
---
libavcodec/jpeg2000dec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index b23e1678d5..f1abc9a5ef 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -960,9 +960,9 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext
*s, Jpeg2000Tile *tile,
if (!cblk->npasses) {
int v = expn[bandno] + numgbits - 1 -
tag_tree_decode(s, prec->zerobits + cblkno, 100);
-if (v < 0) {
+if (v < 0 || v > 30) {
av_log(s->avctx, AV_LOG_ERROR,
- "nonzerobits %d invalid\n", v);
+ "nonzerobits %d invalid or unsupported\n", v);
return AVERROR_INVALIDDATA;
}
cblk->nonzerobits = v;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
